I’ve been using Avast now for nearly a year, and over the past two days I’ve had a problem:
I keep getting Suspicious Message alerts - one after another after another - until I pause the Internet Mail provider. I have no idea why this has suddenly started happening …
An example of one of these the alerts reads:
"[b]Suspicious extension(s) of attachment
*update of KB9046-x86.exe
The sender is always unknown to me, the recipient is often someone to whom I have sent mails in the past.
Today, I have run a full Avast scan, along with Spybot & AdAware … no issues. I have also tried reducing the sensitivity of the Internet Mail provider from ‘high’ to ‘normal’ … but with no change …
Hmm, it means that they are outgoing e-mails - i.e. there’s some (possibly undetected) piece of malware active on the computer sending out other infected e-mails (according to the filename, I’d say it’s a variant of Win32:Warezov).
First, I’d sugges to make sure you are using the latest avast! virus database (i.e. invoke a VPS update), perform a scan of the system (possibly a boot-time scan) and remove the detected files (or move them to Chest).
If it doesn’t help, get HijackThis and post its log here…
Avast! scan running now … I’ve downloaded and run Hijack This, and the log file is here:
Logfile of HijackThis v1.99.1
Scan saved at 13:20:10, on 20/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
“C:\WINDOWS\system32\FreezeScreenSaver.exe”
I would delete this one, if I were you. It’s adware.
Igor will tell you about the rest.
@Igor:
I think e1.dll (O20 - AppInit_DLLs: e1.dll w3sskbda.dll) is usually connected with warezov/stration, as is “update of KB9046-x86.exe” of course.
Analysis of your your Log shows that there aren’t bad items…
c:\program files\alwil software\avast4\aswupdsv.exe - Avast’s anti-virus update service
c:\program files\alwil software\avast4\ashserv.exe - Avast’s anti-virus main module
c:\program files\alwil software\avast4\ashmaisv.exe - Avast’s anti-virus mail protection service
c:\program files\alwil software\avast4\ashwebsv.exe - Avast’s anti-virus webshield
c:\progra~1\alwils~1\avast4\ashdisp.exe - Avast’s anti-virus tray icon
c:\program files\common files\real\update_ob\realsched.exe - Real Player update checker
c:\program files\mozilla firefox\firefox.exe - Mozilla FireFox - browser
c:\program files\microsoft office\office11\winword.exe - Microsft’s Word
o23 - service: avast! iavs4 control service (aswupdsv) - c:\program files\alwil software\avast4\aswupdsv.exe
o23 - service: avast! antivirus - c:\program files\alwil software\avast4\ashserv.exe
o23 - service: avast! mail scanner - c:\program files\alwil software\avast4\ashmaisv.exe" /service (file missing) - Avast’s mail provider running as a service
o23 - service: avast! web scanner - c:\program files\alwil software\avast4\ashwebsv.exe" /service (file missing) - Avast’s webshield provider running as a service
Ignore any references to 023 entries for avast, this is a bug in the HJT 1.99.1. Hijackthis is searching for ‘C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service’ (including double quotes and ‘/service’ parameter) as a file, this causes ‘file missing’, because only present is ‘C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe’.
Besides what Spyros mentions, to me these are also suspect:
C:\WINDOWS\System32\jgdwadsn.exe
C:\WINDOWS\sserrvv.exe
O4 - HKLM..\Run: [sserrvv] C:\WINDOWS\sserrvv.exe s
O20 - Winlogon Notify: jgdwadsn - C:\WINDOWS\system32\jgdwadsn.dll
A google search for these fails to return any hits, which to me is suspicious.
Whilst as Tech mentioned there are no positively detected bad items there are many unknown items that require further investigation (google the file names, etc.) you can also submit the files at the on-line analysis site for unknown/suspect files (copy and past your log here http://hijackthis.de/index.php).
You will also notice that the analysis concludes that it doesn’t find an active software firewall, if you haven’t got one you are going to be fighting an uphill battle to get clean.
Firstly, my thanks to Igor, Tech, Spyros & David R for their help!
I’m not sure what it all means though!! … from the bottom up - I’ve succesfully deleted C:\WINDOWS\system32\FreezeScreenSaver.exe. The (second today) full Avast! scan has now finished, and it found a virus - Win32-Warezov-ME, which is now in the chest.
I then switched the internet mail provider back on, and have had no recurrance of the original problem.
I am unable to delete C:\WINDOWS\System32\jgdwadsn.exe, but have deleted C:\WINDOWS\sserrvv.exe …
Do I need to do anymore?
David - I’m puzzled - I have Windows Firewall running??
I am unable to delete C:\WINDOWS\System32\jgdwadsn.exe,
What reason is given for this ?
Windows in its infinite wisdom protects files in use (even malware) or in system folders, so it is likely that avast! can't delete or move files in use.
- Unlocker [url]http://ccollomb.free.fr/unlocker/[/url] is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
- MoveOnBoot [url]http://www.snapfiles.com/get/moveonboot.html[/url]
Well the analysis tool isn’t perfect but als the XP firewall provides no outbound protection. As fast as you get rid of them they could be downloaded again.
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
DavidR ,
I’ve noticed those too but didn’t want to say more because Igor was the one who asked for the HJT log. I’m 99% sure that these files are from the Warezov/Stration, as I’ve already cleaned one system from an undetected sample.
I couldn’t delete Warezov/stration worms with any AV or AntiSpyware I’ve tried if they were active in the memory. What I used was the free version of “Security Task Manager” (http://www.neuber.com/taskmanager/index.html) to find and delete those. An ecxellent tool, even in the feature-limited free version.
I rather think Igor was hoping other would also help once the log was posted here ;D
Something that we didn’t mention to ‘Yox’ was these suspect files should also be sent to virus@avast.com in a zipped password protected email, before disposal/deletion.
Well, this morning I powered up, and immediately got a Trojan alert, which was something called twain22.exe: win32:PdPinch-AU. This was sent to the chest. It has reappeared 4 times in the hour and a half since I powered up.
I have read the comments on the forum … I’m getting paranoid guys!! … I’ve downloaded and run Security Task Manager, which has allowed me to delete (quarantine) jgdwadsn.exe. Thanks Tech for the recommendation - it has also found these files:
How do I best move forwards from here? Would it help to re-run Hijack This at this point to see what is still there? I need to clean my machine, and then take steps to prevent this happening again. All advice gratefully received!!
Oh … lastly - the name “Yox” … my real name is David Yoxall … Yox has been my nickname since time immemorial!!!
1st & 2nd one belong to Stration/Warezof. Possibly the 3rd too, as it isn’ t a known process.
Find the files and put them to a password-protected .zip file & send them to Virus[at]avast.com with a short description, a link to this thread and the password for the .zip file.
Then use Security Task Manager to kill & quarantine them.
Run any good spyware programm you can get (ewido, a-squared) and possibly an online virus scanner, such as Kaspersky (http://www.kaspersky.com/virusscanner).
First, humble apologies Spyros - it was you - blame it on my very small brain!
I’ve zipped up the 3 files above & sent them to Avast!. I then deleted (quarantined) the files using Security Task Manager.
I then downloaded Kaspersky.com, which is running now - so far it has found 21 viruses -
riskware not-a-virus:Monitor.Win32.KeyKey.121 x 5
Trojan program Trojan-Downloader.JS.Psyme.ce x 1
Trojan program Trojan-Spy.HTML.Fraud.gen (modification) x 1
virus Email-Worm.Win32.Warezov.dc x 7
deleted: virus Email-Worm.Win32.Warezov.df x 7
All these have been deleted. theres still an estimated 2 1/2 hours to go!!
When all this has finished am I “clean”??
Interestingly, I cannot run Avast and Kaspersky concurrently - which is better to have running all the time??
Did you Quarentine these ones?
Didn’t avast detect them? If so, can you extract them from the Kaspersky Quarentine to an USB Driver, zip, password and send it to virus (at) avast.com to analysis?
Thanks.
No interestingly, but it’s normal. You can’t run two antivirus at the same time. They will conflict.
Are you using the Professional version of avast? Or you’re trying to compare the free avast with the paid Kaspersky?
@ Vox
There is nothing to stop you using avast as the resident scanner and only using on-access scanners (Bitdefender, etc.) or on-line scanners as a back-up scanner - On-line Virus Scanners and other useful Links Security-Ops.eu.tt, you will find many links for on-line scanners there, including a link for Kaspersky Web Scanner.