Suspicious Message Alerts! Lots of them!!

Hi Folks,

I hope that someone can help me …

I’ve been using Avast now for nearly a year, and over the past two days I’ve had a problem:

I keep getting Suspicious Message alerts - one after another after another - until I pause the Internet Mail provider. I have no idea why this has suddenly started happening …

An example of one of these the alerts reads:

"[b]Suspicious extension(s) of attachment
*update of KB9046-x86.exe

Sender: Serv@phazen.net
recipient: T@paypal.com[/b]"

The sender is always unknown to me, the recipient is often someone to whom I have sent mails in the past.

Today, I have run a full Avast scan, along with Spybot & AdAware … no issues. I have also tried reducing the sensitivity of the Internet Mail provider from ‘high’ to ‘normal’ … but with no change …

Anyone got any ideas???

Thanks

What buttons are there in the bottom of the warning window? (specifically, does the third one say “Block it”, or “Don’t send”?)

Hi Igor …

There’s 3 buttons in the bottom of the warning window - delete (which is greyed out), continue and dont send!

I can email you a pic if uits any help!!

Hmm, it means that they are outgoing e-mails - i.e. there’s some (possibly undetected) piece of malware active on the computer sending out other infected e-mails (according to the filename, I’d say it’s a variant of Win32:Warezov).

First, I’d sugges to make sure you are using the latest avast! virus database (i.e. invoke a VPS update), perform a scan of the system (possibly a boot-time scan) and remove the detected files (or move them to Chest).

If it doesn’t help, get HijackThis and post its log here…

Hi Igor,

Avast! scan running now … I’ve downloaded and run Hijack This, and the log file is here:

Logfile of HijackThis v1.99.1
Scan saved at 13:20:10, on 20/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrafficSeeker 7.0\Scheduler.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\jgdwadsn.exe
C:\WINDOWS\sserrvv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Alwil Software\Avast4\ashSimp2.exe
C:\Documents and Settings\El Loxy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [sserrvv] C:\WINDOWS\sserrvv.exe s
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [DRL Sheduler] C:\Program Files\TrafficSeeker 7.0\Scheduler.exe
O4 - HKCU..\Run: [RoboForm] “C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe”
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra ‘Tools’ menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra ‘Tools’ menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra ‘Tools’ menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O20 - AppInit_DLLs: e1.dll w3sskbda.dll
O20 - Winlogon Notify: jgdwadsn - C:\WINDOWS\system32\jgdwadsn.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Hope this makes sense to you, because it don’t to me!!!

“C:\WINDOWS\system32\FreezeScreenSaver.exe”
I would delete this one, if I were you. It’s adware.

Igor will tell you about the rest.


@Igor:
I think e1.dll (O20 - AppInit_DLLs: e1.dll w3sskbda.dll) is usually connected with warezov/stration, as is “update of KB9046-x86.exe” of course.

Analysis of your your Log shows that there aren’t bad items…

c:\program files\alwil software\avast4\aswupdsv.exe - Avast’s anti-virus update service
c:\program files\alwil software\avast4\ashserv.exe - Avast’s anti-virus main module
c:\program files\alwil software\avast4\ashmaisv.exe - Avast’s anti-virus mail protection service
c:\program files\alwil software\avast4\ashwebsv.exe - Avast’s anti-virus webshield
c:\progra~1\alwils~1\avast4\ashdisp.exe - Avast’s anti-virus tray icon
c:\program files\common files\real\update_ob\realsched.exe - Real Player update checker
c:\program files\mozilla firefox\firefox.exe - Mozilla FireFox - browser
c:\program files\microsoft office\office11\winword.exe - Microsft’s Word
o23 - service: avast! iavs4 control service (aswupdsv) - c:\program files\alwil software\avast4\aswupdsv.exe
o23 - service: avast! antivirus - c:\program files\alwil software\avast4\ashserv.exe
o23 - service: avast! mail scanner - c:\program files\alwil software\avast4\ashmaisv.exe" /service (file missing) - Avast’s mail provider running as a service
o23 - service: avast! web scanner - c:\program files\alwil software\avast4\ashwebsv.exe" /service (file missing) - Avast’s webshield provider running as a service

Ignore any references to 023 entries for avast, this is a bug in the HJT 1.99.1. Hijackthis is searching for ‘C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service’ (including double quotes and ‘/service’ parameter) as a file, this causes ‘file missing’, because only present is ‘C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe’.

Besides what Spyros mentions, to me these are also suspect:
C:\WINDOWS\System32\jgdwadsn.exe
C:\WINDOWS\sserrvv.exe
O4 - HKLM..\Run: [sserrvv] C:\WINDOWS\sserrvv.exe s
O20 - Winlogon Notify: jgdwadsn - C:\WINDOWS\system32\jgdwadsn.dll

A google search for these fails to return any hits, which to me is suspicious.
Whilst as Tech mentioned there are no positively detected bad items there are many unknown items that require further investigation (google the file names, etc.) you can also submit the files at the on-line analysis site for unknown/suspect files (copy and past your log here http://hijackthis.de/index.php).

You will also notice that the analysis concludes that it doesn’t find an active software firewall, if you haven’t got one you are going to be fighting an uphill battle to get clean.

Firstly, my thanks to Igor, Tech, Spyros & David R for their help!

I’m not sure what it all means though!! … from the bottom up - I’ve succesfully deleted C:\WINDOWS\system32\FreezeScreenSaver.exe. The (second today) full Avast! scan has now finished, and it found a virus - Win32-Warezov-ME, which is now in the chest.

I then switched the internet mail provider back on, and have had no recurrance of the original problem.

I am unable to delete C:\WINDOWS\System32\jgdwadsn.exe, but have deleted C:\WINDOWS\sserrvv.exe …

Do I need to do anymore?

David - I’m puzzled - I have Windows Firewall running??

Thanks again guys …

I am unable to delete C:\WINDOWS\System32\jgdwadsn.exe,
What reason is given for this ? Windows in its infinite wisdom protects files in use (even malware) or in system folders, so it is likely that avast! can't delete or move files in use. - Unlocker [url]http://ccollomb.free.fr/unlocker/[/url] is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file. - MoveOnBoot [url]http://www.snapfiles.com/get/moveonboot.html[/url]

Well the analysis tool isn’t perfect but als the XP firewall provides no outbound protection. As fast as you get rid of them they could be downloaded again.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

If you haven’t already got this software (freeware), download, install, update and run it.

  1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.
  2. Ad-Aware SE Personal Edition
  3. Spybot Search and Destroy
  4. Spywareblaster Don’t install this until you are clean.

Yox, KillBox is a very strong delete tool (www.killbox.net).
But, probably, it won’t be enough. You need to follow other suggestions from David.

DavidR ,
I’ve noticed those too but didn’t want to say more because Igor was the one who asked for the HJT log. I’m 99% sure that these files are from the Warezov/Stration, as I’ve already cleaned one system from an undetected sample.

I couldn’t delete Warezov/stration worms with any AV or AntiSpyware I’ve tried if they were active in the memory. What I used was the free version of “Security Task Manager” (http://www.neuber.com/taskmanager/index.html) to find and delete those. An ecxellent tool, even in the feature-limited free version.

O4 - HKLM..\Run: [sserrvv] C:\WINDOWS\sserrvv.exe s
concur mass e-mailer trojan

Sorry, I’ve missed this one :cry: :-\

I rather think Igor was hoping other would also help once the log was posted here ;D

Something that we didn’t mention to ‘Yox’ was these suspect files should also be sent to virus@avast.com in a zipped password protected email, before disposal/deletion.

Morning Everyone,

Well, this morning I powered up, and immediately got a Trojan alert, which was something called twain22.exe: win32:PdPinch-AU. This was sent to the chest. It has reappeared 4 times in the hour and a half since I powered up.

I have read the comments on the forum … I’m getting paranoid guys!! … I’ve downloaded and run Security Task Manager, which has allowed me to delete (quarantine) jgdwadsn.exe. Thanks Tech for the recommendation - it has also found these files:

e1.dll (95% rating)
w3sskbda.dll (82% rating)
iuennwcl.dll (82% rating)

Can someone please advise on these??

How do I best move forwards from here? Would it help to re-run Hijack This at this point to see what is still there? I need to clean my machine, and then take steps to prevent this happening again. All advice gratefully received!!

Oh … lastly - the name “Yox” … my real name is David Yoxall … Yox has been my nickname since time immemorial!!!

TECH???
I thought that was me?!
;D ;D ;D

- it has also found these files:

e1.dll (95% rating)
w3sskbda.dll (82% rating)
iuennwcl.dll (82% rating)

Can someone please advise on these??


1st & 2nd one belong to Stration/Warezof. Possibly the 3rd too, as it isn’ t a known process.
Find the files and put them to a password-protected .zip file & send them to Virus[at]avast.com with a short description, a link to this thread and the password for the .zip file.
Then use Security Task Manager to kill & quarantine them.
Run any good spyware programm you can get (ewido, a-squared) and possibly an online virus scanner, such as Kaspersky (http://www.kaspersky.com/virusscanner).

OK Folks,

Update time!

First, humble apologies Spyros - it was you - blame it on my very small brain!

I’ve zipped up the 3 files above & sent them to Avast!. I then deleted (quarantined) the files using Security Task Manager.

I then downloaded Kaspersky.com, which is running now - so far it has found 21 viruses -

riskware not-a-virus:Monitor.Win32.KeyKey.121 x 5
Trojan program Trojan-Downloader.JS.Psyme.ce x 1
Trojan program Trojan-Spy.HTML.Fraud.gen (modification) x 1
virus Email-Worm.Win32.Warezov.dc x 7
deleted: virus Email-Worm.Win32.Warezov.df x 7

All these have been deleted. theres still an estimated 2 1/2 hours to go!!

When all this has finished am I “clean”??

Interestingly, I cannot run Avast and Kaspersky concurrently - which is better to have running all the time??

Did you Quarentine these ones?
Didn’t avast detect them? If so, can you extract them from the Kaspersky Quarentine to an USB Driver, zip, password and send it to virus (at) avast.com to analysis?
Thanks.

Well… who knows.
Better will be:

  1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
  2. Clean your temporary files.
  3. Use a-squared, Free AVG Antispyware, SUPERantispyware or Spyware Terminator (trojan removers).

No interestingly, but it’s normal. You can’t run two antivirus at the same time. They will conflict.
Are you using the Professional version of avast? Or you’re trying to compare the free avast with the paid Kaspersky?

@ Vox
There is nothing to stop you using avast as the resident scanner and only using on-access scanners (Bitdefender, etc.) or on-line scanners as a back-up scanner - On-line Virus Scanners and other useful Links Security-Ops.eu.tt, you will find many links for on-line scanners there, including a link for Kaspersky Web Scanner.