undetected virus from avast ?

system · July 21, 2006, 9:49pm

Hi all,

2 days ago, my security system ( i am running under win xp sp2 ) told me that my firewall was deactivated !!!

Iwas affraid of this weird message … 15 sec after, my firewall was working as well as the beginning. I have never opened an unknow email nor executed file received from unknow person.

Today, i saw that my avast home edition was scanning outgoing email. My email client wasn’t running and i didn’t send any email ( nor compiled a web form to send data ).

Here is a log from the avast folder :

07/21/06 12:12:17 00000D50: Started as service, Log = 1 07/21/06 12:12:17 00000D50: Build 4.7.844 07/21/06 12:12:17 00000D50: Windows XP Workstation (Service Pack 2) 07/21/06 12:12:17 00000D50: Using WinSock 2.0 07/21/06 12:12:17 00000D50: AutoRedirect settings changed 1 07/21/06 12:12:17 00000D50: POP Start settings changed: 1 07/21/06 12:12:17 00000D50: POP Default server settings changed: 127.0.0.1 110 07/21/06 12:12:17 00000D50: POP Listen settings changed: 127.0.0.1 12110 07/21/06 12:12:17 00000D50: POP RedirectPort: 110 07/21/06 12:12:17 00000D50: SMTP Start settings changed: 1 07/21/06 12:12:17 00000D50: SMTP Default server settings changed: 127.0.0.1 25 07/21/06 12:12:17 00000D50: SMTP Listen settings changed: 127.0.0.1 12025 07/21/06 12:12:17 00000D50: SMTP RedirectPort: 25 07/21/06 12:12:17 00000D50: IMAP Start settings changed: 1 07/21/06 12:12:17 00000D50: IMAP Listen settings changed: 127.0.0.1 12143 07/21/06 12:12:17 00000D50: IMAP RedirectPort: 143 07/21/06 12:12:18 00000D50: NNTP Start settings changed: 1 07/21/06 12:12:18 00000D50: NNTP Listen settings changed: 127.0.0.1 12119 07/21/06 12:12:18 00000D50: NNTP RedirectPort: 119 07/21/06 13:07:06 00000970: getnameinfo error 11004 07/21/06 13:12:31 00000FF0: --SMTP Mail is clean 07/21/06 13:12:39 00000D14: --SMTP Mail is clean 07/21/06 13:13:04 00000D2C: --SMTP Mail is clean 07/21/06 13:13:04 00000BB8: --SMTP Mail is clean 07/21/06 13:14:10 000004A8: --SMTP Mail is clean 07/21/06 13:14:16 000008FC: --SMTP Mail is clean 07/21/06 13:14:28 00000D24: --SMTP Mail is clean 07/21/06 13:14:34 00000D70: --SMTP Mail is clean 07/21/06 13:14:55 000008B4: --SMTP Mail is clean 07/21/06 13:15:14 00000508: --SMTP Mail is clean 07/21/06 13:15:16 00000D40: --SMTP Mail is clean 07/21/06 13:16:31 000007D8: --SMTP Mail is clean 07/21/06 13:16:47 00000A8C: --SMTP Mail is clean 07/21/06 13:17:22 00000120: --SMTP Mail is clean 07/21/06 13:17:32 00000FBC: --SMTP Mail is clean 07/21/06 13:17:52 00000130: --SMTP Mail is clean 07/21/06 13:18:12 00000AF8: --SMTP Mail is clean 07/21/06 13:18:28 000005F8: --SMTP Mail is clean 07/21/06 13:18:37 00000CF4: --SMTP Mail is clean 07/21/06 13:19:06 000000FC: --SMTP Mail is clean 07/21/06 13:19:08 00000C08: --SMTP Mail is clean 07/21/06 13:19:31 000004A8: --SMTP Mail is clean 07/21/06 13:20:06 00000DBC: --SMTP Mail is clean 07/21/06 13:20:07 00000AF8: --SMTP Mail is clean 07/21/06 13:20:40 0000033C: --SMTP Mail is clean 07/21/06 13:21:59 00000560: --SMTP Mail is clean 07/21/06 13:22:23 00000A48: --SMTP Mail is clean 07/21/06 13:23:26 00000704: --SMTP Mail is clean 07/21/06 13:23:29 00000E90: --SMTP Mail is clean 07/21/06 13:24:06 000002D4: --SMTP Mail is clean 07/21/06 13:24:08 00000300: --SMTP Mail is clean 07/21/06 13:24:11 00000FF4: --SMTP Mail is clean 07/21/06 13:24:34 00000FCC: --SMTP Mail is clean 07/21/06 13:24:59 0000074C: --SMTP Mail is clean 07/21/06 13:25:01 00000EE0: --SMTP Mail is clean 07/21/06 13:25:04 00000C20: --SMTP Mail is clean

As you can see, the frequency of the sending his high. The only solution i found was to unplug my network cable!
After that i launched the avast scan … and it found nothing.

What can i do now ?

Thank you

Lisandro · July 21, 2006, 9:53pm

Clean your temporary files.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
Use a-squared or ewido (trojan removers).

Post the results 8)

system · July 22, 2006, 12:00am

Done.
No virus.

3) Use a-squared or ewido (trojan removers).

I used a-squared and it found same cookies as Ad-aware found ( cookies from safe web site, web forum i am use to visit and other billing web site. ) plus one item : it detects the vnc program as a malware …

Post the results 8)

And now ?

Lisandro · July 22, 2006, 12:39am

Better would be use ewido…
Anyway, you seem to be clean 8)

system · July 23, 2006, 9:11pm

… And my computer still sending email without my action …

I understand you can’t say that avast is not detecting this … trojan … but i need a better first aid.

I will switch to another antivirus.

News : the win xp pro smtp server service was enabled. I disabled it and after the next computer’s start it was enabled etc …

Same thing for the ping port in the xp firewall … i close it, but after each restart it is open. i seem to be clean ? Yes only “seem” …

polonus · July 23, 2006, 9:20pm

Hi Derchoff,

Download the DrWebCureIt scanner from their site it is free, give the komp a full scan. Also go to your dos promt, first give in netstat -a and netstat -an, also arp. To see what is going on download TdiMon from this site: http://www.sysinternals.com/Utilities/TdiMon.html
Let it run under your session and you’ll find what happens, or run a session with Packetyzer as a packet sniffer analyzing tool combined with the Etherspoof (sniffer). You will find the nasty element. Don’t blame avast, it could be a hidden crafted attack. Hope you 'll get it at the tail,
naboj!!

polonus

system · July 23, 2006, 9:27pm

I don’t blame avast because they don’t find it. I understand this is a hard work.

I am only a litle set up by the previous response “you seem to be clean”.

I am trying your way immediately.

DavidR · July 23, 2006, 10:26pm

Same thing for the ping port in the xp firewall ... i close it, but after each restart it is open.

The person who called the XP firewall a firewall should be shot, hung, drawn, quartered and given a good kicking. It has no outbound connection protection, so there is nothing to stop this spambot gaining access to the internet to send its spam.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Jetico, Sunbelt Kerio, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3
For an on-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

system · July 28, 2006, 3:58pm

I had similar problem. See my posting from 06/12/06.
In my case it was mass mailer: windows/system32/drivers/sysbus32.sys

Running Ewido in safe mode helped to detect it.
Good luck

undetected virus from avast ?

Announcements