Avast Internet Mail Shield - acting weird

Hi I have a problem with the on access protection, particularly the internet mail shield. For the past two days it pops up every few seconds scanning outgoing mail. The email addresses are not known to me nor the recipients. My outlook mail box is closed. I have no idea of where these emails are being sent from or why Avast is scanning them. I have run virus scans both with Avast and online virus scanners, I have run adaware, spybot and a couple of others and there is no evidence of spyware, trojans, worms. Nothing and yet the email scanner keeps popping up regular as clockwork scanning outgoing mail, can anyone tell me what might be going on?

Probably you’re infected and the malware is trying to send emails from your computer.

It would be good a full scanning:

  1. avast boot time scanning. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
  2. AVG Antispyware
  3. SUPERantispyware
  4. Spyware Terminator
  5. a-squared

Can you post the scanning results?

Thank you, I have downloaded those programs, Superantispyware was one I had already used which came up with nothing, but I will run it again and post the logs, I also have hijack this if you want that log as well.

What is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections. That should dtop unauthorised outbound connections. It probably isn’t using Outlook but its own very small smtp program.

Try running SAS from safe mode and see if it makes any difference, then try some of the other ones Tech gave links for probably in the order he gave also.

Windows Firewall - I only recently installed Sygate Personal Firewall, trouble is I am an amateur, I have no idea of what should be blocked adn dwhat should be allowed. As Avast is my usual outgoing mail scanner, I didn’t block it. Which is just as well otherwise I would not have known that I had an infection.

During the boot scan 5 infected files were found. Funny how none of the other scans found them at all. I will run the other scans and post the logs tomorrow, but not tonight its time for me to sleep.

One of the problems with Sygate is that it has a vulnerability that you accidentally discovered for yourself, it can’t cope with what is called the localhost loopback, sygate challenges the localhost proxy of avasts, internet mail provider (ashMaiSv.exe) and you correctly allow it. The problem is, all email traffic using ports 25 (smtp), 110 (pop3), etc. is intercepted by the internet mail provider so that it can be scanned and then dispatched goes through the proxy and sygate can’t tell the difference, so it goes unchallenged.

So in both cases XP firewall (it doesn’t check outbound connections) and sygate, it has a weakness and allows stuff through unchallenged if it uses a localhost loopback. So you need a firewall that provides that outbound protection and can differentiate between the proxy and the program using it.

There are many forum members using both PC Tools Firewall Plus and the Comodo firewall.

I’m a happy Comodo firewall user.

Funny or weird?
The report file is created automatically in \Data\Report\aswBoot.txt
Can you post it here?

Wow, thanks for you help. Its been a long evening, scan after scan…it appeared as if those programs had removed things and I was quite pleased, I ran them all in safe mode and as soon as I restarted the computer and it connected to the internet, the Avast email scanner immediately came online and started sending emails seems as if my optimism was short lived. But here are the logs of all those scans hopefully something can be pin pointed.

I meant funny as in unusual, I have run multiple scans over the past couple of days and nothing has been found until now.

As far as advice on firewalls, thank you again. I have already uninstalled Sygate and shut down Windows Firewall, I have downloaded PC Tools to the lap top and Comodo to the desktop to see which is best.

Avast Boot Schedule Log:

06/08/2007 16:57
Scan of all local drives
File C:\WINDOWS\system32\max1d1641.exe is infected by Win32:Dialer-407 [Trj], Deleted
File C:\WINDOWS\system32\xpdx.sys Error 0xC0000034 {Object Name not found.}

Scanning aborted

Number of searched folders: 4025
Number of tested files: 53381
Number of infected files: 1


06/23/2007 03:03
Scan of all local drives
File C:\WINDOWS\system32\faatekhy.dll is infected by Win32:BHO-ES [Trj]
File C:\WINDOWS\system32\gmumeogf.dll is infected by Win32:BHO-ES [Trj]
File C:\WINDOWS\system32\lnjggpuy.dll is infected by Win32:BHO-ES [Trj]
File C:\WINDOWS\system32\ootnpuxo.dll is infected by Win32:BHO-ES [Trj]
File C:\WINDOWS\system32\sfbkqjvo.dll is infected by Win32:BHO-ES [Trj]
File C:\WINDOWS\system32\xpdx.sys Error 0xC0000034 {Object Name not found.}
File D:\Lee’s Files\Desktop\UXTheme Multi-Patcher 1.01.exe%SYS32%\dllcache\uxtheme.dll Error 42146 {Installer archive is corrupted.}
File D:\Lee’s Files\Desktop\UXTheme Multi-Patcher 1.01.exe%SYS32%\dllcache\uxtheme.dll Error 42146 {Installer archive is corrupted.}
File D:\Lee’s Files\Setups\Desktop\nw_uxtheme.zip\UXTheme Multi-Patcher (Neowin Edition) 2.5.1.exe%SYS%\dllcache\uxtheme.dll Error 42146 {Installer archive is corrupted.}
File D:\Lee’s Files\Setups\Desktop\nw_uxtheme.zip\UXTheme Multi-Patcher (Neowin Edition) 2.5.1.exe%SYS%\dllcache\uxtheme.dll Error 42146 {Installer archive is corrupted.}

Number of searched folders: 5391
Number of tested files: 156068
Number of infected files: 5

AVG Spyware Log:


AVG Anti-Spyware - Scan Report

  • Created at: 5:58:11 PM 23/06/2007

  • Scan result:

C:\Documents and Settings\Lee\Desktop\EvID4226Patch223d-en.zip/EvID4226Patch.exe → Not-A-Virus.Hacktool.EvID : No action taken.
C:\Documents and Settings\Lee\My Documents\Other\EvID4226Patch.exe → Not-A-Virus.Hacktool.EvID : No action taken.
C:\Documents and Settings\Lee\Cookies\lee@atdmt[2].txt → TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Lee\Cookies\lee@bs.serving-sys[1].txt → TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Lee\Cookies\lee@serving-sys[1].txt → TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Lee\Cookies\lee@toplist[1].txt → TrackingCookie.Toplist : No action taken.

::Report end

Hi guys, I only managed to get half the logs posted as I have suddenly developed a new problem, as I was posting the logs from my desktop computer (the nasty one) I suddenly got this popup, saying that the services application (??) had a problem and needed to close. Then a second window popped up saying something (and I cannot remember the exact wording) NT/authority was shutting down C:/windows/system32/services.exe was shutting down error code 203. It rebooted, to immediately pop up the same window, but this time the error code was 1073741819 each time the computer reboots, it pops that error and shuts down in 40 seconds, I cannot get it to boot up and stay booted so at this point I cannot post the rest of the logs, I will persevere with it for a little bit longer, but I am afraid I can see a format, reinstall windows coming on…

And in case you are wondering, I am posting this from the laptop, if I can keep the desktop up and running for more than 40 seconds, I will try and transfer the logs to my USB stick and post here.

Infected files. You can send them to Chest.

Why?

Infected files. You can send them to Chest.

Don’t worry: avast couldn’t unpack and scan the files. Seems safe files.

Too much worry from AVGas… That is a known file for tweak the number of TCP/IP connections.

Well… just tracing cookies to be deleted.

Quote from: Flashfire on Today at 12:46:12 PM
Scanning aborted
Why?

Don’t know, it just stopped. I thought it had finished scanning.

Please, Google this… you’re infected…

No problem, glad we could help.

I noticed on one of the actions you chose delete, deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

You also have dealt with a number of infected files in the system folders prevention is better than cure. You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Cookies for the most part aren’t a problem, you should periodically clear your browser cache and cookies, so much so in the Settings of AVG-AS I have tracking cookies unchecked, as I have the firefox CookieSafe extension. With that I have a greater control over cookies anyway.

I know its infected, its just a matter of what and how to get rid of it.

on with the logs:

Spyware Terminator

 Scan Progress (Full Scan)  

Start time: 23/06/2007 6:51:10 PM
Database: 1.0.804.560

Processes Scanning
PowerProfile : c:\windows\system32\POWRPROF.dll
Explorer : C:\WINDOWS\Explorer.EXE
Shdocvw : C:\WINDOWS\system32\SHDOCVW.dll
Avast : C:\Program Files\Alwil Software\Avast4\ashShell.dll
Spyware Terminator : C:\Program Files\Spyware Terminator\SpywareTerminator.exe
Startup Scanning
Ctfmon : C:\WINDOWS\system32\ctfmon.exe
Ctfmon : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon.exe
MessengerService : C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
MessengerService : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsnMsgr
Roboform : C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
Roboform : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RoboForm
SUPERAntiSpyware : C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
SoundMan : C:\WINDOWS\SOUNDMAN.EXE
SoundMan : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SoundMan
ATIPTA : C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
ATIPTA : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ATIPTA
Avast : C:\Program Files\Alwil Software\Avast4\ashDisp.exe
Avast : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avast!
SunJavaUpdateSched : C:\PROGRAM FILES\JAVA\JRE1.6.0_01\BIN\JUSCHED.EXE
SunJavaUpdateSched : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched
SygateAgentFirewall : C:\Program Files\Sygate\SPF\Smc.exe
SygateAgentFirewall : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SmcService
!AVG Anti-Spyware : C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE
a-squared : C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\A2GUARD.EXE
Explorer : C:\WINDOWS\Explorer.exe
Explorer : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
BootExecute : C:\WINDOWS\system32\LSDELETE.EXE
Toolbars Scanning
Roboform : C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
Roboform : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ {724d43a0-0d85-11d4-9908-00400523e39a}
Roboform : HKCR\CLSID{724d43a0-0d85-11d4-9908-00400523e39a}
Shdocvw : C:\WINDOWS\System32\shdocvw.dll
Shdocvw : HKLM\Software\Microsoft\Internet Explorer\Explorer Bars{4D5C8C25-D075-11d0-B416-00C04FB90376}
Shdocvw : HKCR\CLSID{4D5C8C25-D075-11d0-B416-00C04FB90376}
Shdocvw : explorer.exe PID: 876
Shdocvw : avgas.exe PID: 1028
Shdocvw : SUPERAntiSpyware.exe PID: 944
Shdocvw : SpywareTerminator.exe PID: 1612
Shdocvw : HKCU\Software\Microsoft\Internet Explorer\Explorer Bars{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Shdocvw : HKCR\CLSID{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Browser Helper Objects Scanning
Spybot S&D : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{53707962-6F74-2D53-2644-206D7942484F}
Spybot S&D : C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
Spybot S&D : HKCR\CLSID{53707962-6F74-2D53-2644-206D7942484F}
IE Explorer Bars
IE Extensions
Avast : C:\Program Files\Alwil Software\Avast4\ashShell.dll
Spyware Terminator : C:\Program Files\Spyware Terminator\sptcontmenu.dll
Services Scanning
Avast : C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
Avast : HKLM\SYSTEM\CurrentControlSet\Services\aswUpdSv
Avast : C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
Avast : HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus
Avast : C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
Avast : HKLM\SYSTEM\CurrentControlSet\Services\avast! Mail Scanner
Avast : C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
Avast : HKLM\SYSTEM\CurrentControlSet\Services\avast! Web Scanner
Google Toolbar : C:\PROGRAM FILES\GOOGLE\COMMON\GOOGLE UPDATER\GOOGLEUPDATERSERVICE.EXE
Google Toolbar : HKLM\SYSTEM\CurrentControlSet\Services\gusvc
SygateAgentFirewall : C:\Program Files\Sygate\SPF\smc.exe
SygateAgentFirewall : HKLM\SYSTEM\CurrentControlSet\Services\SmcService
Protocol filters Scanning
Protocol handlers Scanning
WinSock2 Scanning
Uninstallers Scanning
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\UNINS000.EXE
C:\WINDOWS\ISUNINST.EXE
C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
Shockwave Installer : C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
Shockwave Installer : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Shockwave Player
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RFWIPEOUT.EXE
C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
C:\WINDOWS\SYSTEM32\ATIIIEXX.DLL
C:\Program Files\Alwil Software\Avast4\Setup\SetIFace.dll
Avast : C:\Program Files\Alwil Software\Avast4\Setup\SetIFace.dll
Avast : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\avast!
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
C:\Program Files\Azureus\Uninstall.exe
C:\PROGRAM FILES\CCLEANER\UNINST.EXE
C:\Program Files\CleanUp!\uninstall.exe
C:\Program Files\eCleaner\UNWISE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
D:\PROGRAM FILES\HP\DIGITAL IMAGING\DOCUMENTVIEWER\HPZSCR01.EXE
D:\PROGRAM FILES\HP\DIGITAL IMAGING\DEVICEMANAGEMENT\HPZSCR01.EXE
D:\PROGRAM FILES\HP\DIGITAL IMAGING\UNINSTALL\HPZSCR01.EXE
D:\PROGRAM FILES\HP\DIGITAL IMAGING\ESUPPORT\HPZSCR01.EXE
D:\PROGRAM FILES\HP\DIGITAL IMAGING\OCR\HPZSCR01.EXE
C:\WINDOWS$NTSERVICEPACKUNINSTALLIDNMITIGATIONAPIS$\SPUNINST\SPUNINST.EXE
C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
C:\WINDOWS$NTUNINSTALLKB929123$\SPUNINST\SPUNINST.EXE
C:\WINDOWS$NTUNINSTALLKB933566$\SPUNINST\SPUNINST.EXE
C:\WINDOWS$NTUNINSTALLKB935839$\SPUNINST\SPUNINST.EXE
C:\WINDOWS$NTUNINSTALLKB935840$\SPUNINST\SPUNINST.EXE
C:\WINDOWS\INF\LHTTSENG.INF
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
C:\WINDOWS$NTUNINSTALLMSCOMPPACKV1$\SPUNINST\SPUNINST.EXE
C:\WINDOWS\INF\MSCSR.INF
C:\WINDOWS\INF\MSDAPP.INF
C:\WINDOWS\INF\MSTTS.INF
C:\WINDOWS$NTSERVICEPACKUNINSTALLNLSDOWNLEVELMAPPING$\SPUNINST\SPUNINST.EXE
C:\WINDOWS\system32\SETUPAPI.DLL
D:\PROGRAM FILES\PICASA2\UNINSTALL.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\UNINS000.EXE
C:\PROGRAM FILES\SPYWARE TERMINATOR\UNINS000.EXE
Spyware Terminator : C:\PROGRAM FILES\SPYWARE TERMINATOR\UNINS000.EXE
Spyware Terminator : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Terminator_is1
C:\WINDOWS\ST6UNST.EXE
C:\Program Files\Virtual Hypnotist\uninst.exe
C:\PROGRAM FILES\WINDOWS LIVE SAFETY CENTER\WLSCCORE.DLL
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMSETSDK.EXE
C:\WINDOWS$NtServicePackUninstall$\spuninst\spuninst.exe
C:\Program Files\WinRAR\uninstall.exe
WinRAR : C:\Program Files\WinRAR\uninstall.exe
WinRAR : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
D:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS$NTUNINSTALLWMFDIST11$\SPUNINST\SPUNINST.EXE
C:\WINDOWS$NTUNINSTALLWUDF01000$\SPUNINST\SPUNINST.EXE
C:\WINDOWS\system32\MSIEXEC.EXE
C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
D:\Program Files\EA GAMES\The Sims 2 Pets\EAUninstall.exe
C:\PROGRAM FILES\DIVX\CONVERTERUNINSTALL.EXE
C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe
C:\PROGRAM FILES\DIVX\DIVXCODECUNINSTALL.EXE
D:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
C:\PROGRAM FILES\DIVX\DIVXPLAYERUNINSTALL.EXE
C:\Program Files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\ctor.dll
D:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe
C:\PROGRAM FILES\DIVX\DIVXWEBPLAYERUNINSTALL.EXE
D:\PROGRAM FILES\HP\DIGITAL IMAGING{BDBE2F3E-42DB-4D4A-8CB1-19BA765DBC6C}\SETUP\HPZSCR01.EXE
C:\PROGRAM FILES\DIVX\DIVXCONTENTUPLOADERUNINSTALL.EXE
d:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe

See if you can quickly click then Start Button, then Run. In the empty filed type

shutdown -a

and click OK.

EDIT:

If you’re able to keep the computer running, download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log (instructions below) in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

C:\Program Files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
Start Menu Scanning
Explorer : C:\WINDOWS\explorer.exe
Explorer : C:\Documents and Settings\Lee\Start Menu\C Drive.lnk
Explorer : C:\Documents and Settings\Lee\Start Menu\D Drive.lnk
Explorer : C:\Documents and Settings\Lee\Start Menu\Lee’s Files.lnk
SynchronizationManager : C:\WINDOWS\system32\mobsync.exe
SynchronizationManager : C:\Documents and Settings\Lee\Start Menu\Programs\Accessories\Synchronize.lnk
Ccleaner : C:\Program Files\CCleaner\ccleaner.exe
Ccleaner : C:\Documents and Settings\Lee\Start Menu\Programs\CCleaner\CCleaner.lnk
WinRAR : C:\Program Files\WinRAR\WinRAR.exe
WinRAR : C:\Documents and Settings\Lee\Start Menu\Programs\WinRAR\WinRAR.lnk
Explorer : C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\Network Connections.lnk
Explorer : C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk
Roboform : C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
Roboform : C:\Documents and Settings\All Users\Start Menu\Programs\AI RoboForm\New Version Check.lnk
Roboform : C:\Documents and Settings\All Users\Start Menu\Programs\AI RoboForm\TaskBar Icon.lnk
Avast : C:\Program Files\Alwil Software\Avast4\ashAvast.exe
Avast : C:\Documents and Settings\All Users\Start Menu\Programs\avast! Antivirus\avast! Antivirus.lnk
Spyware Terminator : C:\Program Files\Spyware Terminator\SpywareTerminator.exe
Spyware Terminator : C:\Documents and Settings\All Users\Start Menu\Programs\Spyware Terminator\Spyware Terminator.lnk
Spyware Terminator : C:\Program Files\Spyware Terminator\unins000.exe
Spyware Terminator : C:\Documents and Settings\All Users\Start Menu\Programs\Spyware Terminator\Uninstall Spyware Terminator.lnk
SygateAgentFirewall : C:\Program Files\Sygate\SPF\Smc.exe
SygateAgentFirewall : C:\Documents and Settings\All Users\Start Menu\Programs\Sygate Personal Firewall\Sygate Personal Firewall.lnk
WinFastSchedule : C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
WinFastSchedule : C:\Documents and Settings\All Users\Start Menu\Programs\WinFast Entertainment Center\WinFast Wizard.lnk
WinRAR : C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR\WinRAR.lnk
Desktop Scanning
Favorites Scanning
Cookies Scanning
Registry Scanning
MSDXM : HKCR\CLSID{8E718888-423F-11D2-876E-00A0C9082467}
MSDXM : C:\WINDOWS\system32\msdxm.ocx
Spybot S&D : HKCR\CLSID{53707962-6F74-2D53-2644-206D7942484F}
Spybot S&D : C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
Files Scanning
Google Toolbar : C:\Program Files\GOOGLE\COMMON\GOOGLE UPDATER\GOOGLEUPDATERSERVICE.EXE
Spyware Terminator : C:\Program Files\Spyware Terminator\Spywareterminatorshield.exe
Spyware Terminator : C:\Program Files\Spyware Terminator\Spywareterminator.exe
Spyware Terminator : C:\Program Files\Spyware Terminator\sptcontmenu.dll
Spyware Terminator : C:\Program Files\Spyware Terminator\unins000.exe
Spyware Terminator : C:\Documents and Settings\All Users\Start Menu..\Application Data\Spyware Terminator\sp_rsdel.exe
Spyware Terminator : C:\Documents and Settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
AVG7_Control Center : C:\WINDOWS\system32\MSVCR71.dll
AVG7_Control Center : C:\WINDOWS\system32\MSVCP71.dll

General cleaning procedures…

  1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).

  2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

  5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

  6. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

  7. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

Logfile of HijackThis v1.99.1
Scan saved at 10:31:09 PM, on 23/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tpg.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.tpg.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bri-pow-pr4.tpgi.com.au:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.1;192.168.1.1;
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [RoboForm] “C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe”
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DCDC28C5-831C-43EA-9C02-78872CCCA409} (VPlayer Control) - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

Done

2) Clean your temporary files. You can use [url=http://www.stevengould.org/downloads/cleanup/]CleanUp[/url] or the [url=http://www.iobit.com/AdvancedWindowsCarePersonal/index.html]Windows Advanced Care[/url] features for that.

Done, several times in fact.

3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in [url=http://support.microsoft.com/default.aspx?scid=kb;en-us;315222]SafeMode[/url] (repeatedly press F8 while booting).

Done, I posted the log

4) It will be good if you download, install, update and run [url=http://www.ewido.net/en/]AVG Antispyware[/url]. Some users recommend [url=http://www.superantispyware.com]SUPERantispyware[/url], [url=http://www.spywareterminator.com/]Spyware Terminator[/url] and/or [url=http://www.emsisoft.com/en/software/free/]a-squared[/url] (take care about false positives). If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

Done and yeah admittedly I goofed, I deleted the files.

5) If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with [url=http://www.antirootkit.com/software/index.htm]anti-rootkit applications[/url]. I suggest [url=http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0]AVG[/url], [url=http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx]Panda[/url] and/or [url=http://www.f-secure.com/blacklight/try_blacklight.html]F-Secure BlackLight[/url].

Will certainly do that, its the only thing I have not yet done…

6) After you're clean, use the immunization of [url=http://www.javacoolsoftware.com/spywareblaster.html]SpywareBlaster[/url] or, which is better, the [url=http://www.iobit.com/AdvancedWindowsCarePersonal/index.html] Windows Advanced Care[/url] features of spyware/adware cleaning and removal.

I was already running Spywareblaster, which is one of the annoying aspects of this. It seems whatever has happened, slipped through and from what I can gather it was in a so called clean file, which I scanned when I downloaded it.

7) Finally, when you're clean, check for insecure applications with [url=http://secunia.com/software_inspector/]Secunia Software Inspector[/url] to update insecure applications and avoid reinfection.

Will do. Now onto the next step. Thank you for your time and patience.

Don’t forget to run ComboFix when you get a chance. Instructions are on page 1.