There are 2 many identical e-mails

Hi New here been using avast for 2 years now great program
I am having this isue there are too many identical e-mails in appointed time
I am running windows xp with sp2 and I do not want to turn off the e-mail notifier I would like to fix the problem. I am hoping not to reinstall OS wich is an option that I have read.
hanks in advance

Hi are you sending emails when you get this message?

Hi
No there is an I-con in the bottom right on the task bar when I log on to internet explorer I get pop up from avast with this warning. (there are too many identical e-mails in appointed time) the e-mails it shows are for all kinds of stuff from viagra to your ugly and always e-mail addreses i have never seen. The odd thing is if I log in thru msn and not IE the i-con is still in the tray but no pop-up from avast and when on IE if I try to open another tab IE goes crazy and I half to close IE compleatly and use only msn.
I have ran avast on boot-up, ccleaner, avg anti-spyware and spybot s&d with no luck.
Thanks

That would confirm you have been turned into a spambot. We should be able to clear this up.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

@ tncaz

Is this the I icon you are talking about, see image ?

If so that is the avast VRDB icon and you can merge it together with the avast ’ a ’ icon. Right click on it an select Merge with avast! main icon.

this isn’t part with this forum but if u do quik scan on files should it say ‘Scan progress 0%’?

Please post this in a new topic, from the forum.avast.com home page, click the avast! 4 Home/Pro forum link. You will see a list of topics, at the top of this list you will see a ‘New Topic’ button. Use that to create your own topic as this isn’t normal behaviour, we can help you there rather than confuse this topic.

sdfix report

SDFix: Version 1.168
Run by cody anderson on Sat 04/12/2008 at 12:34 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

                             [b]Final Check [/b]:

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 12:43:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden services & system hive …

scanning hidden registry entries …

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“E:\Program Files\Xfire\xfire.exe”="E:\Program Files\Xfire\xfire.exe:
:Enabled:Xfire”
“E:\Program Files\Microsoft Games\Halo\halo.exe”=“E:\Program Files\Microsoft Games\Halo\halo.exe::Enabled:Halo"
“E:\Program Files\Microsoft Games\Halo Custom Edition\haloce.exe”="E:\Program Files\Microsoft Games\Halo Custom Edition\haloce.exe:
:Enabled:Halo”
“E:\Program Files\LimeWire\LimeWire.exe”=“E:\Program Files\LimeWire\LimeWire.exe::Enabled:LimeWire"
“E:\Valve\Steam\Steam.exe”="E:\Valve\Steam\Steam.exe:
:Enabled:Steam”
“E:\Valve\Steam\steamapps\gamer837\condition zero\hl.exe”=“E:\Valve\Steam\steamapps\gamer837\condition zero\hl.exe::Disabled:Half-Life Launcher"
“C:\Program Files\Messenger\msmsgs.exe”="C:\Program Files\Messenger\msmsgs.exe:
:Enabled:Windows Messenger”
“E:\Program Files\haloded.exe”=“E:\Program Files\haloded.exe::Enabled:Halo"
“E:\Program Files\DS\haloded update.exe”="E:\Program Files\DS\haloded update.exe:
:Enabled:Halo”
“E:\Program Files\DS\haloded.exe”=“E:\Program Files\DS\haloded.exe::Enabled:Halo"
“C:\Documents and Settings\cody anderson\Desktop\DS\haloded.exe”="C:\Documents and Settings\cody anderson\Desktop\DS\haloded.exe:
:Enabled:Halo”
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“E:\Program Files\iTunes\iTunes.exe”="E:\Program Files\iTunes\iTunes.exe:
:Enabled:iTunes”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:
:Enabled:@xpsp3res.dll,-20000”

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 21 Jan 2004 61,440 …H. — “C:\Program Files\MSN\msnupdate!@#@.exe”
Wed 21 Jan 2004 292,864 …H. — “C:\Program Files\MSN\txsrvc.dll”
Wed 21 Jan 2004 302,080 …H. — “C:\Program Files\MSN\unicows.dll”
Mon 28 Jan 2008 1,404,240 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe”
Mon 28 Jan 2008 5,146,448 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe”
Mon 28 Jan 2008 2,097,488 A.SHR — “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe”
Sat 20 Oct 2007 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp”
Wed 23 Jan 2008 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BIT4.tmp”
Thu 27 Mar 2008 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BIT6.tmp”
Wed 23 Jan 2008 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\afa5528a2269b5106016bdbc1ea3037f\BIT3.tmp”
Thu 27 Mar 2008 3,725,648 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\afa5528a2269b5106016bdbc1ea3037f\BIT4.tmp”
Wed 23 Jan 2008 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT2.tmp”

Finished!

thanks

and here is the hj log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:23 PM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qwest.msn.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM..\Run: [NBKeyScan] “C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “E:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe


End of file - 7044 bytes
thanks
hope this will help

Hi DavidR
I do have that i-con but the one that comes up is like a stack of envelopes with a blue dot and when the curser is put over it avast mail scanner [services.exe-> and from this point it changes with every e-mail
Thanks

That is the indication that the Internet Mail scanner is scanning inbound or outbound email, see image, is that it.

I have to admit that I don’t see any reference to services.exe if I happen to hover over the icon. That is I would say the indication that the spambot on your system is at work and hopefully with oldman’s help will be resolved.

Sorry about the delay. But that last piece you posted may help.

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\services.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Nothing jumps out from those two logs, so lets look deeper.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

You can attach the logs, use the additional options button.

Do you think it worthwhile to do a search for services.exe to see if there is more than one but in a different location ?

Yes, good suggestion. It should have shown in the DSS log though.

I was thinking of an infected services.exe, a couple of worms will inject it.

What I find a bit unusal is that it is only with IE. Possibly in a temp folder, but I’d like to have a look at it rather than just kill it. Gather some info to see what it is related to.

@tncaz

Click start, mycomputer, select Tools menu and click Folder Options. Clcik the view tab

check Display the contents of system folders
check Show hidden files and folders
uncheck “Hide extensions for known file types” box
uncheck “Hide protecting operating system files” box

Please use the search function to search for services.exe and let us know how may instances and their locations you find.

click start button, click search set the search field to mycomputer

See image.

hi
here is the virus total you requested
File has already been analysed:
MD5: c6ce6eec82f187615d1002bb3bb50ed4
Date: 04.08.2008 19:46:18 (CET) [>4D]
Results: 0/31
Permalink: analisis/b262dd10bc34ba923a8c16bc27481422
real strange thing been gone to the store left msn up and open and it had the same pop-up warning from avast that I would get when on IE and yes DavidR that is the i-con in the tray now it is there all the time
I will go do other things oldman asked of me
Thanks all

bothe the extra and main txt are to big to post should split them then post
Thanks

ops saw what to do in the oldmans reply
here you go

and here is the second one
Thanks

Here are the only 2 davedR was I to used the program you posted ???
SERVICES.EXE-2F433351.pf C:\WINDOWS\Prefetch 18KB pf file 4-12-2008 12:49 pm
Services.exe C:\WINDOWS\system32 106KB application 2-28-2006 5:00 am

Thanks