Problems with AVG after infection

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

LazyVampire

Thread Starter
Joined
Jun 25, 2005
Messages
103
Hi there, I very foolishly got myself badly infected with Spy Sherrif, Winstall, TIBS, Smitfraud and some others along with several Trojans with names like dropper, downloader and one that stood out in particular was Klone ! I set about cleaning up with AVG , Spybot , CWS etc as methodically as I could then I used Bazooka to manually fix what I could.

AVG found 9 trojans/virus. And deleted 8 of them doing nothing about the Klone one.And not giving me much of a clue so I just deleted it.

After hours of cleaning up running all checks again and basically seeming all clear then AVG starts up the email scanner and the icon appeared alongside the normal AVG icon and is running and its saying email sent to this address and that address none of which I knew and AVG has never done this before and it wouldnt stop till I eventually disabled the email plug in.

I ran hijackthis a couple of times cause I do that every so often anyway just because I like to keep a check on things and the only thing different about the logs was the AVG entries. There was more than there is any other time although all were marked as safe.

Everything else on the PC seems fine but of course now AVG is grey instead of colored and says email scanner is not fully functional , as I know its not but Im reluctant to reactivate it incase it starts again.

I am wondering now if AVG has been compromised in some way or something and Im not really sure how to check. Ive copied the start of the emc.log to see if you can shed any light on it, Its about 4.5mb so couldnt attach it.

Sorry for such a long winded post, I didnt want to leave anything out that may be relevant and I hope I havent.

T.I.A for any help.

LV

emc.log (very tiny fraction of it)

26.12.2005 05:34:22.453 [39c] AVG for E-mail [7.1.371] started
26.12.2005 05:34:23.140 [39c] Using AVG Kernel: 7.1.371 [267.14.7/214]
26.12.2005 05:34:23.187 [39c] AvgCfg: 0, IniCfg: 1
26.12.2005 05:34:23 Config: AVGCFG
26.12.2005 05:34:23 Using Cyrus SASL 2.1.13
26.12.2005 05:34:23 Starting the main loop
26.12.2005 05:34:23 Redirector version 70004
26.12.2005 05:34:23 AutoPOP3(10110): Starting server
26.12.2005 05:34:24 Queue processing started
26.12.2005 05:34:24 AutoSMTP(10025): Starting server
26.12.2005 05:45:21.375 [b78] AVG for E-mail [7.1.371] started
26.12.2005 05:45:21.687 [b78] Using AVG Kernel: 7.1.371 [267.14.7/214]
26.12.2005 05:45:21.703 [b78] AvgCfg: 0, IniCfg: 1
26.12.2005 05:45:21 Config: AVGCFG
26.12.2005 05:45:21 Using Cyrus SASL 2.1.13
26.12.2005 05:45:21 Starting the main loop
26.12.2005 05:45:21 Redirector version 70004
26.12.2005 05:45:21 AutoPOP3(10110): Starting server
26.12.2005 05:45:21 AutoSMTP(10025): Starting server
26.12.2005 05:45:21 Queue processing started
26.12.2005 07:45:28 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:28 AutoSMTP(10025): Connection from 127.0.0.1:1227
26.12.2005 07:45:28 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:28 AutoSMTP(10025): Connection from 127.0.0.1:1228
26.12.2005 07:45:28 AutoSMTP(10025): Client connected
26.12.2005 07:45:28 AutoSMTP(10025): Client connected
26.12.2005 07:45:28 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:28 AutoSMTP(10025): Connection from 127.0.0.1:1231
26.12.2005 07:45:28 AutoSMTP(10025): Client connected
26.12.2005 07:45:28 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:28 AutoSMTP(10025): Connection from 127.0.0.1:1233
26.12.2005 07:45:28 AutoSMTP(10025): Client connected
26.12.2005 07:45:28 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:28 AutoSMTP(10025): Connection from 127.0.0.1:1235
26.12.2005 07:45:28 AutoSMTP(10025): Client connected
26.12.2005 07:45:28 Sent mail for: casey_thornton@hotmail.com
26.12.2005 07:45:28 Processing outbound message queue
26.12.2005 07:45:28 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:28 AutoSMTP(10025): Connection from 127.0.0.1:1238
26.12.2005 07:45:28 AutoSMTP(10025): Client connected
26.12.2005 07:45:28 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:28 AutoSMTP(10025): Connection from 127.0.0.1:1240
26.12.2005 07:45:28 AutoSMTP(10025): Client connected
26.12.2005 07:45:28 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:28 AutoSMTP(10025): Connection from 127.0.0.1:1242
26.12.2005 07:45:28 AutoSMTP(10025): Client connected
26.12.2005 07:45:28 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:28 AutoSMTP(10025): Connection from 127.0.0.1:1244
26.12.2005 07:45:28 AutoSMTP(10025): Client connected
26.12.2005 07:45:28 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:28 AutoSMTP(10025): Connection from 127.0.0.1:1246
26.12.2005 07:45:28 AutoSMTP(10025): Client connected
26.12.2005 07:45:29 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:29 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:29 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:29 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:29 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:29 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:29 AutoSMTP(10025): Connection from 127.0.0.1:1250
26.12.2005 07:45:29 AutoSMTP(10025): Client connected
26.12.2005 07:45:29 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:29 AutoSMTP(10025): Connection from 127.0.0.1:1252
26.12.2005 07:45:29 AutoSMTP(10025): Client connected
26.12.2005 07:45:29 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:29 AutoSMTP(10025): Connection from 127.0.0.1:1254
26.12.2005 07:45:29 AutoSMTP(10025): Client connected
26.12.2005 07:45:29 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:29 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:29 AutoSMTP(10025): Connection from 127.0.0.1:1258
26.12.2005 07:45:29 AutoSMTP(10025): Client connected
26.12.2005 07:45:29 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:29 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:29 AutoSMTP(10025): Connection from 127.0.0.1:1260
26.12.2005 07:45:29 AutoSMTP(10025): Client connected
26.12.2005 07:45:29 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:29 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:29 AutoSMTP(10025): Connection from 127.0.0.1:1262
26.12.2005 07:45:29 AutoSMTP(10025): Client connected
26.12.2005 07:45:29 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:29 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:29 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:29 AutoSMTP(10025): Connection from 127.0.0.1:1266
26.12.2005 07:45:29 AutoSMTP(10025): Client connected
26.12.2005 07:45:29 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:29 AutoSMTP(10025): Connection from 127.0.0.1:1269
26.12.2005 07:45:29 AutoSMTP(10025): Client connected
26.12.2005 07:45:29 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:29 AutoSMTP(10025): Connection from 127.0.0.1:1272
26.12.2005 07:45:29 AutoSMTP(10025): Client connected
26.12.2005 07:45:29 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:29 AutoSMTP(10025): Connection from 127.0.0.1:1274
26.12.2005 07:45:29 AutoSMTP(10025): Client connected
26.12.2005 07:45:30 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:30 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:30 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:30 AutoSMTP(10025): Connection from 127.0.0.1:1277
26.12.2005 07:45:30 AutoSMTP(10025): Client connected
26.12.2005 07:45:30 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:30 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:30 AutoSMTP(10025): Connection from 127.0.0.1:1279
26.12.2005 07:45:30 AutoSMTP(10025): Client connected
26.12.2005 07:45:30 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:30 AutoSMTP(10025): Connection from 127.0.0.1:1282
26.12.2005 07:45:30 AutoSMTP(10025): Client connected
26.12.2005 07:45:30 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:30 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:30 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:30 AutoSMTP(10025): Connection from 127.0.0.1:1285
26.12.2005 07:45:30 AutoSMTP(10025): Client connected
26.12.2005 07:45:30 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:30 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:30 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:30 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:30 AutoSMTP(10025): Connection from 127.0.0.1:1289
26.12.2005 07:45:30 AutoSMTP(10025): Client connected
26.12.2005 07:45:30 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:30 AutoSMTP(10025): Connection from 127.0.0.1:1291
26.12.2005 07:45:30 AutoSMTP(10025): Client connected
26.12.2005 07:45:30 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:30 AutoSMTP(10025): Connection from 127.0.0.1:1293
26.12.2005 07:45:30 AutoSMTP(10025): Client connected
26.12.2005 07:45:30 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:30 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:30 AutoSMTP(10025): Connection from 127.0.0.1:1295
26.12.2005 07:45:30 AutoSMTP(10025): Client connected
26.12.2005 07:45:30 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:30 AutoSMTP(10025): Connection from 127.0.0.1:1297
26.12.2005 07:45:30 AutoSMTP(10025): Client connected
26.12.2005 07:45:30 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:30 Sending e-mail in queue file C:\Documents and Settings\xx\Application Data\AVG7\QUEUE\ACTIVE\78C9A15483.cf
26.12.2005 07:45:30 Host: 207.115.63.75:25
26.12.2005 07:45:30 From:
26.12.2005 07:45:30 To: casey_t@prodigy.net
26.12.2005 07:45:31 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:31 AutoSMTP(10025): Connection from 127.0.0.1:1302
26.12.2005 07:45:31 AutoSMTP(10025): Client connected
26.12.2005 07:45:31 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:31 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:31 AutoSMTP(10025): Connection from 127.0.0.1:1304
26.12.2005 07:45:31 AutoSMTP(10025): Client connected
26.12.2005 07:45:31 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:31 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:31 AutoSMTP(10025): Connection from 127.0.0.1:1306
26.12.2005 07:45:31 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:31 AutoSMTP(10025): Connection from 127.0.0.1:1307
26.12.2005 07:45:31 AutoSMTP(10025): Client connected
26.12.2005 07:45:31 AutoSMTP(10025): Client connected
26.12.2005 07:45:31 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:31 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:31 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:31 AutoSMTP(10025): Connection from 127.0.0.1:1310
26.12.2005 07:45:31 AutoSMTP(10025): Client connected
26.12.2005 07:45:31 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:31 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:31 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:31 AutoSMTP(10025): Connection from 127.0.0.1:1312
26.12.2005 07:45:31 AutoSMTP(10025): Client connected
26.12.2005 07:45:31 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:31 AutoSMTP(10025): Connection from 127.0.0.1:1314
26.12.2005 07:45:31 AutoSMTP(10025): Client connected
26.12.2005 07:45:31 Sending e-mail in queue file C:\Documents and Settings\xx\Application Data\AVG7\QUEUE\ACTIVE\78C9A124A9.cf
26.12.2005 07:45:31 Host: 65.54.244.168:25
26.12.2005 07:45:31 From:
26.12.2005 07:45:31 To: casey_temo@hotmail.com
26.12.2005 07:45:31 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:31 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:31 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:31 AutoSMTP(10025): Connection from 127.0.0.1:1317
26.12.2005 07:45:31 AutoSMTP(10025): Client connected
26.12.2005 07:45:31 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:31 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:31 AutoSMTP(10025): Connection from 127.0.0.1:1320
26.12.2005 07:45:31 AutoSMTP(10025): Client connected
26.12.2005 07:45:31 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:31 AutoSMTP(10025): Connection from 127.0.0.1:1322
26.12.2005 07:45:31 AutoSMTP(10025): Client connected
26.12.2005 07:45:32 Processing outbound message queue
26.12.2005 07:45:32 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:32 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:32 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:32 AutoSMTP(10025): Connection from 127.0.0.1:1327
26.12.2005 07:45:32 AutoSMTP(10025): Client connected
26.12.2005 07:45:32 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:32 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:32 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:32 AutoSMTP(10025): Connection from 127.0.0.1:1329
26.12.2005 07:45:32 AutoSMTP(10025): Client connected
26.12.2005 07:45:32 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:32 AutoSMTP(10025): Connection from 127.0.0.1:1331
26.12.2005 07:45:32 AutoSMTP(10025): Client connected
26.12.2005 07:45:32 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:32 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:32 AutoSMTP(10025): Connection from 127.0.0.1:1333
26.12.2005 07:45:32 AutoSMTP(10025): Client connected
26.12.2005 07:45:32 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:32 AutoSMTP(10025): Connection from 127.0.0.1:1335
26.12.2005 07:45:32 AutoSMTP(10025): Client connected
26.12.2005 07:45:32 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:32 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:32 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:32 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:32 AutoSMTP(10025): Connection from 127.0.0.1:1338
26.12.2005 07:45:32 AutoSMTP(10025): Client connected
26.12.2005 07:45:32 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:32 AutoSMTP(10025): Connection from 127.0.0.1:1340
26.12.2005 07:45:32 AutoSMTP(10025): Client connected
26.12.2005 07:45:32 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:32 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:32 AutoSMTP(10025): Connection from 127.0.0.1:1343
26.12.2005 07:45:32 AutoSMTP(10025): Client connected
26.12.2005 07:45:33 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:33 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:33 AutoSMTP(10025): Connection from 127.0.0.1:1345
26.12.2005 07:45:33 AutoSMTP(10025): Client connected
26.12.2005 07:45:33 Sending e-mail in queue file C:\Documents and Settings\xx\Application Data\AVG7\QUEUE\ACTIVE\78CAAB7337.cf
26.12.2005 07:45:33 Host: 143.166.224.134:25
26.12.2005 07:45:33 From:
26.12.2005 07:45:33 To: casey_parsons@dell.com
26.12.2005 07:45:33 Sending e-mail in queue file C:\Documents and Settings\xx\Application Data\AVG7\QUEUE\ACTIVE\78CDD77DFB.cf
26.12.2005 07:45:33 Host: 143.166.224.134:25
26.12.2005 07:45:33 From:
26.12.2005 07:45:33 To: casey_marsrow@dell.com
26.12.2005 07:45:33 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:33 AutoSMTP(10025): Connection from process 452
26.12.2005 07:45:33 AutoSMTP(10025): Connection from 127.0.0.1:1347
26.12.2005 07:45:33 AutoSMTP(10025): Client connected
26.12.2005 07:45:33 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:33 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:33 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:33 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:33 AutoSMTP(10025): Client disconnected
26.12.2005 07:45:33 Sending e-mail in queue file C:\Documents and Settings\xx\Application Data\AVG7\QUEUE\ACTIVE\78CE258BF.cf
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

LazyVampire

Thread Starter
Joined
Jun 25, 2005
Messages
103
I have never ran hijackthis from anywhere except its own folder on my hard drive.

I also ran Spyware doctor which I must admit I wasnt really impressed with it but it did find a lot of old stuff in my registry that registry mechanic and Spybot etc all missed.

heres my hijackthis log from just now.

Thanks
LV


Logfile of HijackThis v1.99.1
Scan saved at 13:54:00, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\locator.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://couronne.proboards20.com/index.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = JOANNE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.252.128.15:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .psd: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v47/blockwerx/blockwerx.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinner.com/games/v41/tilecity/tilecity.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Don't disable the email plug in

there is obviously something there sending emails via a hidden server and disabling aavg just hides the fsact it's doing it from you not stops it doing it

try this to see what is running

  • Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    • Reboot back to Normal Mode!
    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Place those results in the next post!

and

open HJT press config/misc tools and tick both boxes about empty and minor sections

Press generate start up list and post that log back here
 

LazyVampire

Thread Starter
Joined
Jun 25, 2005
Messages
103
Here you go and I really appreciate you taking the time to help. thanks.


I had to attach it as it wouldnt let me post it, too many letters.
 

Attachments

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
there are lots of strange entries in the wpfind log and a lot of disabled startups

let's try this first but I really think that you have arootkit there that is hiding the files & that is dangerous

* Run ActiveScan online virus scan here

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log
 

LazyVampire

Thread Starter
Joined
Jun 25, 2005
Messages
103
I ran the Panda online scan before when I had some problems but I also ran a rootkit revealer because of something I had seen on Symantecs website but neither showed anything.
I will run it again now. Thanks

LV
 

LazyVampire

Thread Starter
Joined
Jun 25, 2005
Messages
103
Panda

Incident Status Location

Adware:Adware/NavHelper Not desinfected C:\WINDOWS\nxstinst.exe
Adware:Adware/NavHelper Not desinfected C:\WINDOWS\remover.dll
Adware:adware/powerscan Not desinfected C:\WINDOWS\Downloaded Program Files\pcpowerscan.EXE
Adware:Adware/KeenValue Not desinfected C:\WINDOWS\Downloaded Program Files\imloader.exe
Adware:Adware/Secure32 Not desinfected C:\DOWNLOADS\zwtcpspx.exe[run.exe]
Virus:mIRC/Gen Not desinfected E:\newfilters\Photoshop Plugins\Photoshop-AdobeFilter.exe[REMOTE.INI]


Logfile of HijackThis v1.99.1
Scan saved at 18:01:03, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\locator.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://couronne.proboards20.com/index.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = JOANNE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.252.128.15:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .psd: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v47/blockwerx/blockwerx.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinner.com/games/v41/tilecity/tilecity.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
looking over this one I am not certain that I would ever trust this one so my advice is to format & reinstall

I am convinced that there is a hidden backdoor there that is sending all the emails and I can't guarantee to fix it and even if we did mange to there is just too much chance of leaving bits behind
 

LazyVampire

Thread Starter
Joined
Jun 25, 2005
Messages
103
Thanks for your help but I had already decided that I was going to reformat after I realised that a couple of those things that Panda found are not to be seen in the folders where they should be and I tried running rootkit revealer and theres all sorts hidden , registry entries files and folders etc I was arguing with a friend who said I had deleted things that I knew i hadnt and I think I was right .

Can you tell me if I should scrub everything or just system stuff ? Ive burned a lot of stuff on to discs lately that I didnt want to lose and Im wondering if there any chance of me saving some bad guys in there too. Id hate to reformat just to add them back . Oh and my slave / storage drive? Shall I have to scrub that too?

Infact is it safe to save anything?

thanks for taking the time to try and help .

LV
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
normally photos & music, text files etc are safe to backup & restore

Provided you are sure that they are what they are supposed to be & not something masquerading
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top