Just to add, if the shyte is running inside the SYSTEM process it’s quite likely there’s a kernel-mode malware component involved (a rootkit, basically). Not very good news indeed… :-\
What you could try is run a specialized rootkit-detection tool such as F-Secure Blacklight (it’s free): http://www.f-secure.com/blacklight/try_blacklight.html
Thanks
Vlk
Sorry for withholding information to ya’ll.
This isn’t a machine that I’m normally working on and it has no firewall except that of Windows SP2.
I have checked the processes in msconfig and there is nothing out of the ordinary (or so it seems).
Which firewall would be recommended for this one? Something free would be best.
I cannot see any process with the ID of 0.
I also do connect through a router. I will configure it to block port 25.
There’s one other way we can avast to report the process path … at least it might confirm the System Process contamination.
It might prove useful to create (for a while, since the volume of message will create a large log) a more detailed avast! log of your mail connections.
You can get the mailscanner to log your connections by editing the avast4.ini file (in Program Files\Alwil Software\Avast4\DATA folder).
In the section headed:
[MailScanner]
add the line:
Log=20
and save the updated file.
The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log and will contain avast’s reading of the path of the process being used to make the outbound connections.
I tried the log thing. I can’t really read it very easily though.
I would like to share with you guys. It started to grow very rapidly and became > 1MB. I will upload to Media Fire so that you can download and look for yourselves.
http://www.mediafire.com/?0ym0jwmvitz
Here is a small portion:
250-8BITMIME
250-PIPELINING
250 SIZE 71303168
01/03/07 16:22:31 00000E34: <-SMTP 250-csmtpmx13.frontal.correo
250-8BITMIME
250-PIPELINING
250 SIZE 71303168
01/03/07 16:22:31 00000E34: sent 79 (1160)
01/03/07 16:22:31 00000E34: received 33 (1160)
01/03/07 16:22:31 00000E34: ->SMTP MAIL FROM:<efe-getafe@terra.es>
01/03/07 16:22:31 00000E34: sent 33 (1104)
01/03/07 16:22:31 00000E34: received 40 (1104)
01/03/07 16:22:31 00000E34: <-SMTP 250 MAIL FROM:<efe-getafe@terra.es> OK
01/03/07 16:22:31 00000E34: sent 40 (1160)
01/03/07 16:22:31 00000E34: received 31 (1160)
01/03/07 16:22:31 00000E34: ->SMTP RCPT TO:<efe-getafe@terra.es>
01/03/07 16:22:31 00000E34: sent 31 (1104)
01/03/07 16:22:32 00000440: Cannot connect to SMTP server 65.54.244.40 (65.54.244.40:25), connect error 10060
01/03/07 16:22:32 00000440: sent 87 (904)
01/03/07 16:22:32 00000440: --SMTP Finishing connection handler
01/03/07 16:22:32 000005DC: SMTP accept connection from: 127.0.0.1
01/03/07 16:22:32 000005DC: Connection handler: 00000D08 (1024)
01/03/07 16:22:32 00000D08: Ignored PIDs: 2672 3724
01/03/07 16:22:32 00000D08: Ignored Addresses: 72.3.135.203:80 193.243.128.78:80 193.243.128.76:80 62.132.1.234:80 204.58.27.57:80 204.58.27.41:80 204.58.27.49:80 204.58.27.33:80 198.200.173.74:80 198.200.173.139:80 127.0.0.1:80 192.168.0.4:119 127.0.0.1:119 192.168.0.4:143 127.0.0.1:143 192.168.0.4:25 127.0.0.1:25 192.168.0.4:110 127.0.0.1:110
01/03/07 16:22:32 00000D08: Ignored Processes: avgemc.exe forx.exe FXMadeEasy.exe aoltpspd.exe waol.exe tor.exe wcescomm.exe utorrent.exe ypager.exe V3P3AT.EXE bitcomet.exe mpftray.exe ABC.EXE CZDCPlusPlus.ex CRAXY.EXE NETMONSV.EXE SYMPROXYSVC.EXE NAVAPW32.EXE WEBPROXY.EXE EMULE.EXE TMPROXY.EXE isafe.exe SMPROXY.EXE ccLgView.exe ccSetMgr.exe ccPwdSvc.exe ccApp.exe ccProxy.exe ccPxySvc.exe ccEvtMgr.exe winroute.exe avast.setup
01/03/07 16:22:32 00000D08: --SMTP command REDIRECT 65.54.244.72:25 1856
01/03/07 16:22:32 00000D08: PATH: \Device\HarddiskVolume2\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Is the link supposed to contain some data?
BTW maybe you could make the log file < 200KB and attach it here?
Thanks
Vlk
There is a download file button on that page.
u better download comodo…it’s free and it has the feature named “define a new banned application” in which u can select an application to block from any internet access…this firewall helped me a lot with a bot which did the same work as yours(sending numerous emails)…i did a full system scan with avast and even if it founded it couldn’t stop it…then i tried spybot and AVG antispyware and they couldn’t stop it either…so i disabled avast email scanner,i found the process that contains the bot,i blocked it with comodo and did an online scan with bitdefender,it founded the bot,deleted it and after that i ran windows in safe mode and deleted it by myself coz it appeared again…now i have no problems and i have the exe file still in the block list of comodo just in case…maybe my bot was easier to remove it but i think comodo helped me a lot on that thing…u can see some gd free firewalls here http://www.snapfiles.com/Freeware/security/fwfirewall.html i recommend comodo and zonealarm… 
Here is a section from my log when I deliberately send an email message …
1/03/07 17:35:38 00000254: Ignored Addresses: 72.3.135.203:80 193.243.128.78:80 193.243.128.76:80 62.132.1.234:80 204.58.27.57:80 204.58.27.41:80 204.58.27.49:80 204.58.27.33:80 198.200.173.74:80 198.200.173.139:80 127.0.0.1:80 70.86.176.98:119 212.26.219.158:119
01/03/07 17:35:38 00000254: Ignored Processes: avgemc.exe forx.exe FXMadeEasy.exe aoltpspd.exe waol.exe tor.exe wcescomm.exe utorrent.exe ypager.exe V3P3AT.EXE bitcomet.exe mpftray.exe ABC.EXE CZDCPlusPlus.ex CRAXY.EXE NETMONSV.EXE SYMPROXYSVC.EXE NAVAPW32.EXE WEBPROXY.EXE EMULE.EXE TMPROXY.EXE isafe.exe SMPROXY.EXE ccLgView.exe ccSetMgr.exe ccPwdSvc.exe ccApp.exe ccProxy.exe ccPxySvc.exe ccEvtMgr.exe winroute.exe avast.setup
01/03/07 17:35:38 00000254: --SMTP command REDIRECT 204.127.225.17:25 392
01/03/07 17:35:38 00000254: PATH: \Device\HarddiskVolume2\Program Files\Mozilla Thunderbird\thunderbird.exe
01/03/07 17:35:38 00000254: Connected to SMTP server 204.127.225.17 25 (496)
You notice the PATH statement gives the name of the process that is sending the email - in this case my Thunderbird mail client.
In your log it is consistently pointing to the program ashDisp.exe. This is very strange and I guess we will have to see if the avast folks have a comment. I suppose that it is just possible that someone has managed to infect avast itself or to masquerade as an avast module.
Did you try the blacklight scan suggested by Vlk?
By the way what is the size, date and time of your ashDisp.exe file?
< disagree, the “postcard” worm was being detected from the very beginning (Avast was one of the first who detected it).
How did you find out it can’t detect it?
Am I guessing correctly if I say VirusTotal and/or Jotti’s?
Nope, i tried it with my U3 (up to date) scanner on a machine where I’d copied the .exe to.
I then tried numerous other scanners, i.e. Mcafee (not mobile!) etc to see if it could identify this .exe as being malicious… So, as of the 31st none of the scanners I tried could see this as malicious.
Sorry, i was just telling it like it was!!
Nope, i tried it with my U3 (up to date) scanner on a machine where I'd copied the .exe to. I then tried numerous other scanners, i.e. Mcafee (not mobile!) etc to see if it could identify this .exe as being malicious... So, as of the 31st none of the scanners I tried could see this as malicious.
It may have been a corrupted sample then… (this is quite common, actually - the attachments gets somehow screwed and arrives in a non-working state).
Do you still have the file? It would be worth a quick look just to make sure…
Thanks
Vlk
It may have been a corrupted sample then... (this is quite common, actually - the attachments gets somehow screwed and arrives in a non-working state).Do you still have the file? It would be worth a quick look just to make sure…
Thanks
Vlk
Sorry, no. I’ve updated all scanners to latest .dat files. It is worrying though that major anti-virus
vendors can firstly, not identify a known (it was know it was coming) malicious file, and secondly that some updates can get screwed in this fashion leaving the user unprotected…!!
Awil was (admittedly) one of the better ones in this instance.
Cheers
Sorry, no. I've updated all scanners to latest .dat files. It is worrying though that major anti-virus vendors can firstly, not identify a known (it was know it was coming) malicious file, and secondly that some updates can get screwed in this fashion leaving the user unprotected...!!
Maybe I said it wrong… all I was saying is that the postcard.exe file you got could be screwed (not the AV updates).
That is, the virus sample could have been benign (datamged) and hence no AV detected it (which is, in this case, correct behavior)
Thanks
Vlk
Maybe I said it wrong... all I was saying is that the postcard.exe file you got could be screwed (not the AV updates). That is, the virus sample could have been benign (datamged) and hence no AV detected it (which is, in this case, correct behavior)Thanks
Vlk
Ouch, sorry. No I got rid of the .exe file after trying the various scanners. I don’t like leaving these types of files on any of my machines.
cheers
Sorry it has been so long since the last update.
The issue has not been resolved as of recent mostly due to my inability to work on the machine. It’s the Point Of Sale machine for the store, and we are not able to ring people up without it.
I installed Comodo Firewall on it and disabled the Avast Mail protection in hopes that I could figure out what was happening through the use of Comodo’s logs. Unfortunately, without much time to configure it, the firewall was blocking important access that is needed for the POS system to work.
I am going to wait for a good load of down time and try and figure it out then. Also, I got the Qwest redirect page saying that the account is disabled because of this virus. I quickly lied my way through the page to regain internet access. I will be really trying to fix this virus today before we get redirected (or worse) again.
I will also be running the blacklight scan when I am given the chance. I tried to do it once, ran it for about 10 minutes, and had to exit due to customer.
This PC hasn’t been re-formatted in a while and we’re almost just looking at getting it wiped clean again instead of going through the virus-hunt hassle. But not yet.
Thank you for all of your support on this. I will keep you posted with any progress.
blackligh in an online rootkit scanner…if u want an easier solution thry this one http://www.trendmicro.com/download/rbuster.asp its an on-demand scanner which doesn’t need inernet connection to scan… u can see pther similar softwares here http://www.geocities.com/dontsurfinthenude/antitrojan.htm
Vlk, Igor,
this user posted an avast mail log (almost a week ago!) that appears to show ashDisp.exe as the source of the spam email causing problems.
While I know that you are busy folks I think this demands a response from the avast team.
So … how about a comment please?
Maybe Vojtech is the man 8)
As another update, I have run the backlight program, but it came back with nothing. I have currently turned the avast mail client back on to see if there has been any mail going through. For some reason, it seems that it only goes through after 2:00 in the afternoon. I have also been watching TCPView but nothing has occurred. As another precaution, I have been watching the comodo firewall logs, but it appears to be nothing out of the ordinary (BTW: Comodo blocks the backlight scan attempt. You must shut the firewall down first).
Once again, I will keep you guys posted on what is happening.
And as another little detail about it, we noticed it started happening around after the new year and on two computers. One was a laptop that was connected to the network, and the other was the POS PC. We have 3 other computers on the same network, but they do not seem to be infected. These infected PC’s also had Norton installed when then attack hit. The other machines did not. Since then, these 2 machines have Avast installed now instead. Norton had popped up about 100+ warning messages and totally froze the system if you can imagine.
Thanks for any help!
Do you mean, when you’ve installed avast?
Disabling Norton is not enough to avoid conflicts with avast… 
Please, follow: http://forum.avast.com/index.php?topic=23089.msg211543#msg211543
Oh, I know better than that. lol :
Norton was totally uninstalled before I installed Avast. I just meant that Norton was the AV installed at the time of attack. I installed Avast in hopes that Avast would take care of it better than Norton. And, it did detect a bunch of new viruses, but not the particular one that we’re trying to find.