I have tried many virus scanners (including avast) but not one can find this one, If I attach a file or jpg to an out going E mail
fm OE to my self @hotmail multiple copies arrive the following
is the properties of the received attachments.
I have been chasing this thing for a week and can’t catch the little bugger!
What is your firewall, as that should also be a line of defence against unauthorised outbound connections ?
What is your OS ?
When avast pops up this alert is there any indication of the application (file name) sending ?
You could also use a tool called TCPview and that should show the processes that have connections.
Are there any strange processes in the windows Task Manager ?
You don’t say what scanners you have tried or if they were installed or on-line scanners ?
If you haven’t already got this software (freeware) try one, download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
If using winXP or Vista SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner (if you use this don’t install the toolbar or crawler or the anti-virus module). Or a-Squared free On-Demand only with free version(if using win98/ME).
win xp 2 fire wall win xp all up to date and running
No information with this alert.
I have been scanning with avast while the alert is active on my desk top
also scanned with avg, spybot, malware anti malware
Super antispyware
all while this alert is active on the desk top & not one of the scanners find it.
Also been searching myself nothing
just checked my tlaingt inbox and although I have not allowed avast warning message to it send
I now have 292 copies of the message in the hotmail in box. Weird
Unfortunately the XP firewall is like a sieve there is zero outbound protection an essential these days.
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.
Did you run SAS from safe mode this is best ?
What about this:
Are there any strange processes in the windows Task Manager ?
TCPview (do a search and download it) is a real sniffer and will indicate all active connections so is a valuable analysis tool.
If you have hotmail what arrives in its inbox (if you are talking of one on your email client rather than the web) doesn’t use the pop3 protocol and as such isn’t scanned by the avast email scanner. also avast isn’t an anti-spam tool as far as inbound email is concerned
I now have online armor firewall installed with all systems active.
I have been running TCP but unable to understand what I should be looking for
or how to interpret what I am looking for although I have taken snap shot at various times of sending message with attachments.
Below the property file, can anyone find something in here?
I let it send 3 times before I deleted the send file.
Received: from pd2mr5so.prod.shaw.ca (pd2mr5so-qfe2.prod.shaw.ca [10.0.162.8])
by l-daemon (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006))
with ESMTP id 0K0300BBTUZV5MB0@l-daemon for plid@shaw.ca; Tue,
29 Apr 2008 15:14:19 -0600 (MDT)
Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145])
by pd2mr5so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep
5 2006)) with ESMTP id 0K0300GZ3UZ2JV60@pd2mr5so.prod.shaw.ca for
plid@shaw.ca (ORCPT plid@shaw.ca); Tue, 29 Apr 2008 15:14:19 -0600 (MDT)
Received: from acer56fb35423d ([24.68.225.203])
by l-daemon (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006))
with SMTP id 0K0300LJXUXODO20@l-daemon for plid@shaw.ca; Tue,
29 Apr 2008 15:13:46 -0600 (MDT)
Date: Tue, 29 Apr 2008 14:13:00 -0700
From: lcc plid@shaw.ca
Subject: [WARNING - NOT VIRUS SCANNED] Re: VVVVVVVVVVVVVV PLID 3 20L.jpg [02/25]
To: lcc plid@shaw.ca
Message-id: 002f01c8aa3d$dd2c63e0$cbe14418@acer56fb35423d
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-Priority: 3
X-MSMail-priority: Normal
X-Antivirus: avast! (VPS 080429-1, 04/29/2008), Outbound message
X-Antivirus-Status: Clean
Original-recipient: rfc822;plid@shaw.ca
X-Antivirus: AVG for E-mail 7.5.524 [269.23.6/1402]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=“=======AVGMAIL-48178FFB553F=======”
X-Antivirus: avast! (VPS 080429-1, 04/29/2008), Inbound message
X-Antivirus-Status: Clean
Received: from pd2mr5so.prod.shaw.ca (pd2mr5so-qfe2.prod.shaw.ca [10.0.162.8])
by l-daemon (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006))
with ESMTP id 0K0300BBTUZV5MB0@l-daemon for plid@shaw.ca; Tue,
29 Apr 2008 15:14:19 -0600 (MDT)
Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145])
by pd2mr5so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep
5 2006)) with ESMTP id 0K0300GZ3UZ2JV60@pd2mr5so.prod.shaw.ca for
plid@shaw.ca (ORCPT plid@shaw.ca); Tue, 29 Apr 2008 15:14:19 -0600 (MDT)
Received: from acer56fb35423d ([24.68.225.203])
by l-daemon (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006))
with SMTP id 0K0300LJXUXODO20@l-daemon for plid@shaw.ca; Tue,
29 Apr 2008 15:13:46 -0600 (MDT)
Date: Tue, 29 Apr 2008 14:13:00 -0700
From: lcc plid@shaw.ca
Subject: [WARNING - NOT VIRUS SCANNED] Re: VVVVVVVVVVVVVV PLID 3 20L.jpg [02/25]
To: lcc plid@shaw.ca
Message-id: 002f01c8aa3d$dd2c63e0$cbe14418@acer56fb35423d
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-Priority: 3
X-MSMail-priority: Normal
X-Antivirus: avast! (VPS 080429-1, 04/29/2008), Outbound message
X-Antivirus-Status: Clean
Original-recipient: rfc822;plid@shaw.ca
X-Antivirus: AVG for E-mail 7.5.524 [269.23.6/1402]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=“=======AVGMAIL-48178FFB553F=======”
X-Antivirus: avast! (VPS 080429-1, 04/29/2008), Inbound message
X-Antivirus-Status: Clean
Received: from pd2mr5so.prod.shaw.ca (pd2mr5so-qfe2.prod.shaw.ca [10.0.162.8])
by l-daemon (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006))
with ESMTP id 0K0300BBTUZV5MB0@l-daemon for plid@shaw.ca; Tue,
29 Apr 2008 15:14:19 -0600 (MDT)
Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145])
by pd2mr5so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep
5 2006)) with ESMTP id 0K0300GZ3UZ2JV60@pd2mr5so.prod.shaw.ca for
plid@shaw.ca (ORCPT plid@shaw.ca); Tue, 29 Apr 2008 15:14:19 -0600 (MDT)
Received: from acer56fb35423d ([24.68.225.203])
by l-daemon (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006))
with SMTP id 0K0300LJXUXODO20@l-daemon for plid@shaw.ca; Tue,
29 Apr 2008 15:13:46 -0600 (MDT)
Date: Tue, 29 Apr 2008 14:13:00 -0700
From: lcc plid@shaw.ca
Subject: [WARNING - NOT VIRUS SCANNED] Re: VVVVVVVVVVVVVV PLID 3 20L.jpg [02/25]
To: lcc plid@shaw.ca
Message-id: 002f01c8aa3d$dd2c63e0$cbe14418@acer56fb35423d
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-Priority: 3
X-MSMail-priority: Normal
X-Antivirus: avast! (VPS 080429-1, 04/29/2008), Outbound message
X-Antivirus-Status: Clean
Original-recipient: rfc822;plid@shaw.ca
X-Antivirus: AVG for E-mail 7.5.524 [269.23.6/1402]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=“=======AVGMAIL-48178FFB553F=======”
X-Antivirus: avast! (VPS 080429-1, 04/29/2008), Inbound message
X-Antivirus-Status: Clean
I have been searching etc almost all day for the past week & find nothing.
Terry
You run tcpview when the email is going out or before you can leave it running as it only shows connections, see image and you can see the processes that have connections and which are outbound to the internet.