Spam E-Mails being Sent from my PC (7000+ Today Alone)

Hello!

I have a question I would like to ask the experienced AV gurus here at Avast.

I have a PC running Win XP at work. I also have Avast Home installed and running swell. I have done a thorough scan on my entire PC and it actually picked up quite a bit of virii in the process of doing so.

There have been quite a bit of times were Avast will alert me saying something to the effect of “Too many duplicate emails have been sent!” and it gives me a choice to continue sending the emails or stop sending them.

After checking the Avast E-Mail scanner results, it says that it has sent out 7000+ emails today alone. These emails are being sent from and to random email addresses. The body text is verses from the Bible.

I have Outlook and Outlook Express setup on this machine if this helps at all.

What I have tried to do to correct:
*Run complete scan again (including boot time scan).
*Run Spybot S&D
*Run Crap Cleaner
*Run HijackThis
*Run WinTasks Pro 5

All of these and no resolve. I was hoping that some of you on this board might have an idea of what might be happening and how I can go about resolving the issue before the ISP shuts us down or something.

Thank you very much in advanced!

-Derek

P.S. It was also doing this same thing with Norton AV. I have uninstalled Norton and used Avast instead. It makes me shiver having to say the N-word. My appologies. :wink:

Oh, and BTW: I am very computer literate. Tell it to me straight doc! ;D

Alwil team should seriously incorporate the outbound email worm protection in Standard Shield for proactive protection against such crap (which is otherwise used by Internet Mail provider).
Otherwise i think you can see the EXE file responsible for this by hovering email scanner icon in next to the clock (appears when scanning mail). At least if i remeber correctly.

Excellent. I will try this. I remember trying to double-click as well as right-click on the icon, but nothing appeared.

In the meantime, if there are any other suggestions, I would like to hear what you have to say.

Thanks!

Methinks that (very) young RejZoR is getting old and forgets that avast used, by default, to warn users of this problem.

It used to be (before faintheartedness) that avast would give this process information in the “timeout” message on the send side of the avast email scanner. But alas due to too many complaints from users of P2P programs using port 25 (among other issues) the avast team got cold feet and turned it off. At least it meant fewer complaints for avast - even if users like SendDerek did not get useful warning information anymore.

So, SendDerek …here is a suggestion:

In the Internet Mail Scanner, select “Customize” and then select the “Advanced” tab

Check the box “Timeout for Internet Communication(s)” set the time to 60 (seconds)

Click “OK”

If 60 seconds produces no results then it may be worth trying 25 seconds (spambots are not always completely stupid).

I believe (or I hope … since avast may have made other changes) that the spambot sending emails on your system will trip this avast check and cause a pop-up (as in the memory of RejZoR) that will advise you that a process whose name it will tell you has spent too long sending emails out of your system without your approval.

If you choose to follow this advice please let us know if this has any value in diagnosing your problem.

Just a thought, has Avast updated to it’s newest DAT file? There was a worm introduced over the new year desinged solely for SPAM’ing:
details:
Subject - Happy New Year!
Attachement - POSTCARD.exe
Worm Name - Nuwar.B

Now i know that Avast was not picking this up as of yesterday because i tried it. I wasn’t infected I was just trying various scanners to see which one found it…!!

Worth checking…?

Can you please send an email with the file (false positive or infected) to: virus (at) avast.com
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

What is your firewall ?
This should be able to catch unauthorised outbound connections unless of course your firewall doesn’t provide outbound protection, like XP’s firewall.

You could also try sysinternals.com TCPView that should show the connections established and what program/file initiated the connection.

Sysinternals.com was bought by Microsoft in July, 2006 and become Windows Sysinternals :stuck_out_tongue:
http://www.microsoft.com/technet/sysinternals/default.mspx

That’s right but sysinternals.com redirects to the new site.

This is all great advice! Thank you very much.

I’m going to look into the timeout function, and then l’m very interested in this sysinternals TCPview.

I will post the results.

Glad we could help, welcome to the forums.

It’s not that certian email though. Like I said earlier, it’s an email that contains verses from the Bible. I will try and get the newest updates though. I had just installed it yesturday and assumed (dangerous) that it had installed all the updates automatically.

Here you can see more about timeouts into Internet Mail provider and your email account: http://forum.avast.com/index.php?topic=11380.msg96646#msg96646
Anyway, since avast! version 4.7.807 the mail scanner module (“Internet Mail” provider) has been significantly changed to improve the overall user experience, especially in case of slow connections (dial-up). Namely, most of (if not all) the “Timeout expired” related problems should be gone by now.

Now i know that Avast was not picking this up as of yesterday because i tried it. I wasn't infected I was just trying various scanners to see which one found it..!!

I disagree, the “postcard” worm was being detected from the very beginning (Avast was one of the first who detected it).

How did you find out it can’t detect it?

Am I guessing correctly if I say VirusTotal and/or Jotti’s?

Thanks for posting… from time to time, an official word about detection is comfortable. :wink:

Okay, I have more information for you guys and a screenshot.

The information I get when I hover over the icon is pretty random, but for the most part, this bit is most always on there:

mx10.tds.net

Some others that I managed to write down quickly (it changes every second):
nsl.smfiber…
bootsit.com

Here is the screenshot with TCPView and Avast showing:

http://img.photobucket.com/albums/v203/send_derek/SpamMessages.jpg

We don’t really use this computer for e-mails, so as a temp fix, I wanted to block all outgoing smtp traffic. Is there a way to do this?

You need to block the ports 25 and the 12025 as you can see in the picture…
Which is your firewall? Do you have a router to connect the Internet?

Well System Process is pretty weird process name as it is usually only listed as System so this might be something trying to masquerade as System, although the Process ID of 0 is also weird.

In task manager what has the process ID of 0 ?

There is no easy way to block emails being sent you would have to block the email port 25 in either a firewall or router. as this would appear to be using its own emailed. So you still haven’t said what your firewall is ?

Try windows, Start, Run, type ‘msconfig’ without the quotes and click OK, now look at the Startup Tab and list what you see there.

Well the TCPView is just showing you that it is avast that is actually facilitating the sending of the spam messages.

Did you try the suggestion I gave you to have avast identify the process sending the spam?

As Tech says you need a firewall with outbound protection to really help you with this one.

If you have such a firewall then you should remove outbound access for ashMaiSv.exe, this is the avast process that is actually delivering the mail. That will stop it being sent. It will not identify the infection in your system or remove it - which is what you ultimately need to do.

Again if you have an outbound protection firewall and you terminate the avast e-mail scanner then the real culprit sending the emails should show up asking for permission to connect outbound (or it will be a process you have already authorized but should not have).

It is very typical for these spambots to hijack a Windows process to do their work, we have quite often seen in the past winlogon.exe and explorer.exe as the infected processes. Neither of these should have any valid reason for outbound access.