I’ve been notified by my DSL provider that I may have a Trojan running which may be causing some unusual traffic. Could anyone tell me which processes should be running for Avast Home Edition with Windows XP. I looked at the processes running and I can identify all but one which is:
aswUpd5v.exe
Is this a process for Avast?
aswUpSv.exe is a valid process for avast! (note 6th character is alpha S)
Are you sure it is from your DSL provider ?
Why would they tell you this ?
What is the content of the message ?
There have been a number of social engineering emails purporting that your system is infected when the purpose is to get you to install and update, attachment or visit a link to install a patch/update. This in fact infects your system, so you need to exercise extreme care when this form of unsolicited email arrives in your inbox.
Yes I’m Sure It Is a an E-mail from my DSL provider. I contacted them about the e-mail and they had me run the Microsoft Onecare (I think it was called) Virus and Spyware scan. Thanks for your response.
The following process should be running:
ashServ.exe (avast! antivirus service: the resident protection)
aswUpdSv.exe (avast! Update Service)
ashWebSv.exe (avast! Web Scanner service)
ashMaiSv.exe (avast! e-Mail Scanner service)
ashDisp.exe (the interface, the icon on system tray).
OK, but what was the information they gave to justify their suspicions, mass mail from you, etc. what traffic ?
Do you have a firewall, if so what ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
- Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.
I have a Linksys firewall. I don’t have any specific data from the DSL provider. Is there anything you would suggest I ask for?
The reason I ask about a firewall is I doubt you have outbound protection and whilst most hardware firewalls have good inbound protection almost all don’t have any outbound protection. This could stop whatever it is that the ISP finds suspicious.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
- Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Sunbelt Kerio, Jetico, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml
I would have expected the ISP to say what activity that it finds suspicious/unusual, not simply make a sweeping statement ‘unusual activity’, ask them what it is that they find unusual and why.
I prefeer the Kerio Firewall. Way? he is easy to understand.
And creating no conflicts whit your other Software,and he is Free.
I use the Kerio now 9 months and I can not missing this remarkeble
Firewall,and olso in de Free version. This is after 30 days that he change
in The Free Kerio,1 function then is non actif,but it is not a importend
thing. So i am a happy user!
Thanks for your responses. I did get a response from my e-mail to the DSL provider, this is a response from their SPAM filter system. I forgot I have the Windows XP firewall that comes with Service Pack 2. Is this an adequate firewall?
Windows XP’s firewall is better than no firewall but, it lulls you into a false sense of protection, it doesn’t provide outbound protection.
I would say you need to look at a third party firewall to protect against unauthorised outbound connections. Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
So check out the links I gave before about firewalls. If as your ISP is saying it is Spam originating from your system you need outbound protection and also run either of the programs AVG anti-spyware or a-squared and see if they find any trojan spambot/mass mailer.
I would also suggest you put the avast Internet Mail provider on High sensitivity.
If you want a suggestion ;D
Comodo, Kerio, ZoneAlarm and Outpost (even the free version) are some freeware options.
I get the message POP RPC Server is trying to act as a server
as soon as I restarted after turning on ZoneAlarm. Should I
Allow or Deny this?
I assume that you weren’t trying to connect with your email program ?
What is your email program ?
I would certainly deny ‘POP RPC Server’ access as a server and probably internet access completely, this is not something that I have heard of before and could simply be something trying to look sort of official.
Then check and see if you can use you email normally, if you can it is a good indication that it is the malware possibly sending out spam. If you can’t use your email as normal, send, receive, then it is simple to delete the entry for POP RPC Server in ZoneAlarm.
A google search for ‘POP RPC Server trojan’ without the quotes returns many hits, many relating to MS Outlook (not express) and a vulnerability in XP so if your XP isn’t SP2 (?) and fully up to date I suggest an urgent visit to windows update.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci928211,00.html?newsEL=10.13
Can you post more info about the program (and the path of the executable) trying to connect the Internet and allow connections from Internet in this case (act like a server)?