My computer is infected in some kind of malware/spyware.
I have checked one of the options in Avast to notify me (display a message) when scanning outgoing emails.
When Windows loads, I can see many messages of outgoing spam messages sending out from my machine.
This malware or apyware (whatever) stops me from doing anything since it uses many resources and actually “stuck” my network.
Avast did not recognize anything, and by Avast my computer is clean.
You would appear to have a spambot trojan of some sort, check out the programs below which specialise in trojan detection and removal.
I’m surprised that avast isn’t detecting multiple identical emails in a specific duration, part of the heuristics checks in the Internet Mail provider, even if it can’t detect the originating spambot. Are you sure that your Internet Mail provider is running ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode. Ewido Security Suite If using winXP. or a-Squared free if using win98/ME.
If a-squared and ewido and avast did not detect anything… the only you can do is a full on-line scanning.
But I’m almost sure you’re with other problems than infection in this case.
TrendMicro is a good on-line scanner.
And “Are you sure that your Internet Mail provider is running ?”
What Operating System are you using ?
What is your email program ?
Do you have a firewall ?
As a firewall should be able to block unauthorised outbound connections.
If your computer is infected with malware/spyware, you
should be asking for help on the forum of your
antiSPYWARE provider ; if you know of none, I
recommend www.landzdown.com .
If you have a second machine or a friend, try pulling your hard disk and having the second machine or your friends machine scan your C: drive I just defeated one tonight that way, Avast couldn’t see it and whatver this thing was it disabled both trendmicro and another online scanner I found…that’s what these little *&^%$# 's do these days they write viruses that beeline for the antivirus and malware utilities and shut them off. I used earthlink’s utilities (infineon?) on my shoebox machine and it found something that nothing else was finding. Some viruses get going and nothing can see them, so it’s necessary to have your c drive scanned in a situation where nothing is running on it. Not that I’ve gotten rid of the virus I still don’t think avast is updating correctly or adaware se either, so I think it also changed some stuff in the registry.
I have tried almost everything you said, including scaning the hard drive from another computer - but nothing.
The Ewido tool did not find anything also.
I have now tested the machine with the HiJackThis, and this is the report:
Logfile of HijackThis v1.99.1
Scan saved at 08:02:40, on 04/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I hope that we can find a bit more about what is happening in your system before you resort to reformatting your system disk.
To better identify what may be happening it will probably be useful to create (for a while) a more detailed avast! log of your mail connections.
You can get the mailscanner to log your connections by editing the avast4.ini file (in Program Files\Alwil Software\Avast4\DATA folder).
In the section headed:
[MailScanner]
add the line:
Log=20
and save the updated file.
The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log
If you are then willing to share the log … please first obscure any personally identifiable information in it … we shall have a better chance of understanding which process may be creating any spam email being sent from your system.
I do not understand why I can not trace the application that sends this emails - isn't that something that a simple firewall should tell me
Which is why we asked if you had a firewall and what it was ?
This is a link for the on-line analysis of your log, http://hijackthis.de/logfiles/b1e0e2f768ee0bf920850b2f8dc8a2a3.html The question about a firewall being very relevant (see below), there a couple of unknown and one possibly nasty entry so you should confirm that you installed them and you know what they are. Other than those things at first glance look OK.
We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
So it doesn’t appear that you have any active firewall that can check outbound connections.
Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Jetico, Sunbelt Kerio, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
The BackLight tool is worth trying to see if there any hidden processes and also Alan’s suggestion to gather more information should help in tracking down the problem, which according to your HJT log has also overcome many on-line scanners (watch out for future detections related to Panda’s unencrypted signature files).
This is the report from Avast.
Just to mention that I have installed ZoneAlarm and the log file reports that the intrusion comes from svchost.exe and services.exe.
The log you posted confirms that services.exe is the process sending out all these emails - which that process should, of course, not be doing.
Services.exe is a normal windows system process but it would appear that yours has been replaced by an email worm to include itself.
A quick scan shows that a number of email worms (a number of Sober variants included) replace the services.exe file.
For what it is worth this file appears on my system in Windows\System32 only and its size is 108032 dated 08/04/2004 03:00
Since you have now installed ZoneAlarm you should deny outbound access to services.exe. Tha will stop the emails going out but it will not remove the malware.
If you have not already tried all the scanners recommeded in this thread then now is the time to try them all. Other than that I hope that someone here in the forum may have more knowledge of this type of infection and provide you guidance in clean up.
It is disturbing that Avast Pro did not prevent or cannot find and remove the worm.
I would try both Bib Defender and Kaspersky online scans at Jotti’s. http://virusscan.jotti.org/de/
Jerry
Other than sending out spam and doing a very good job of hiding it doesn’t appear to be harming the computer, which would draw attention to it.
If you had checked the HJT log you would have seen that it numerous entries for on-line scanners, such as, Symantec, McAfee, TrendMicro, Panda and has also ran Ewido one of the best trojan hunters not to mention avast and BackLight, all of which have found nothing.
So I suppose disturbing would be appropriate if it wasn’t directly aimed at avast!
We have been trying to help and now that doront99 has an active firewall that checks outbound activity he can do something to block it where previously he couldn’t.
Hi David,
{So I suppose disturbing would be appropriate if it wasn’t directly aimed at avast!}
But is it not the job of an AV to prevent worms, etc from getting on the computer? I would find it disturbing whatever AV was being used.
I would like to see how it makes out with the scanners I mentioned. Maybe no difference, but I do have some problem believing that it has been around for more than a day, and none detect it.
It would be interesting to submit it to Jotti’s and see if any recognize it.
Worms are not Avast’s strongest point according to AV Comparatives. Not especially weak, but less than some others by 15% or so.
What is disturbing is that a rootkit tool, a good trojan hunter and a whole slew of anti-viruses and hijackthis haven’t found anything. So I don’t feel avast alone should come in for your criticism “It is disturbing that Avast Pro did not prevent or cannot find and remove the worm.”
No one AV is ever going to catch everything and new variants will have a lifespan before detection. Jotti may turn up something possibly in the generic of heuristic AV scanners.
@ doront99
You could also send the services.exe to avast.
If you are not getting a virus warning that you believe is a new, undetected virus then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces).
Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
Hi David,
[What is disturbing is that a rootkit tool, a good trojan hunter and a whole slew of anti-viruses and hijackthis haven’t found anything. So I don’t feel avast alone should come in for your criticism “It is disturbing that Avast Pro did not prevent or cannot find and remove the worm.”]
But that slew of AVs did not include the one with the best detection rates, KAV. I will withdraw my criticism if he runs an online scan with KAV and/or Bit Defender. I am convinced that one or both will find it. Sure I may be wrong, but until I have tried the best AVs, considering the detection rates, I will continue to think that it is the primary fault of the AV.
I am using Avast Home on my laptop. However, I am not wedded to any software, and that includes KAV 6 which I use. I just want to find out if an AV with higher detection rates would find the worm. I believe it would.
It is not like I am insulting a member of your family, but trying to find out whether Avast should have caught it if it had better detection rate of worms. Why is that something that you should be defensive about?
I realize and agree that the immediate problem is to help get rid of the worm, but it should be of interest to improve the AV.
It is obvious that Avast is inferior in the area of detection to several others. Maybe one uses it for years and does not have an infection. That is great, but when one does I do not believe in excusing the primary tool to prevent that infection, until I find that the best ones also would not have prevented an infection.
