Help! Internet Mail is scanning emails I'm not sending

Hi,

I just installed avast a few days ago and have been finding my way around.

I’ve noticed tonight that the Internet Mail provider has scanned 4000+ emails that I have not sent, and is still scanning them. Occasionally I am getting a warning message to say that I am sending too many identical emails within a specified time limit.

avast! has given my PC a clean bill of health except for a Trojan which is sitting in the Chest!

I don’t know what to do next. Please help.

I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

thanks, I will follow these steps and report back :slight_smile:

Will be here to help.

Hi,

1-3: completed. No problems detected.

4: Superantispyware kept restarting my machine. Made 3 attempts at the Full scan, but after scanning about 4000 files it just restarted my computer. Gave up and ran Spyware Terminator. This picked up a Trojan and 2 invalid startup items which I’ve quarantined.

  1. avast! picked up 1 rootkit and cleaned the file successfully.

  2. Did the run scanner log, but having problems accessing other forums (might be due to my location in China). So have also done a Hijackthis and attach the log here for your perusal.

Unfortunately, the emailing problem remains.

Hope you can help, thanks.

ooops, continuing with steps 7 & 8 in the meantime… :slight_smile:


Welcome to the forums, chinaT. :slight_smile:

The below is for information only. I could have missed sometime as I am not an expert on HJT logs. So, please wait for someone else to give the proper instrutions.

Not needed:

O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)

O9 - Extra button: ¨°??e¨¤¡ä¨°?¨¤?¨¦??? - {7DBC6ADB-5788-4FB9-AEC3-B40A58AC11DF} - http://www.yiqilai.com (file missing)

O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)

O9 - Extra ‘Tools’ menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)

This one is bad:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab [SmileyCentral is known to have malware]

Do you also have Symantec/Norton or did you have?

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

This one could be bad:

O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll


Hopefully, someone will be able to help you soon. 


***

Well, let’s see if we can keep the mailman from his appointed rounds. :wink:

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

thanks CharleyO… will take a raincheck on your suggestions till later

oldman… ;D would dearly love to have this mailman pack his bags, will follow your instructions and get back to you asap.

thanks

Hi oldman,

Here are the SDFix results:

SDFix: Version 1.162

Run by TAM on 26/03/2008 at 16:35

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
HMP37

Path:
System32\Drivers\Hmp37.sys

HMP37 - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Service HMP37 - Deleted after Reboot

Checking Files :

Trojan Files Found:

C:\Program Files\JavaCore\UnInstall.exe - Deleted
C:\Program Files\nvcoi\mst.stt - Deleted
C:\Program Files\Temporary\InsiDERInst.exe - Deleted
C:\WINDOWS\b155.exe - Deleted
C:\WINDOWS\b152.exe - Deleted
C:\WINDOWS\b154.exe - Deleted
C:\Program Files\Setup.exe - Deleted
C:\WINDOWS\svchost.ini - Deleted
C:\WINDOWS\system32\Isass.exe - Deleted
C:\WINDOWS\system32\WLCtrl32.dll - Deleted
C:\WINDOWS\system32\drivers\HMP37.sys - Deleted

Folder C:\Program Files\JavaCore - Removed
Folder C:\Program Files\nvcoi - Removed
Folder C:\Program Files\Temporary - Removed

Removing Temp Files

ADS Check :

                             [b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 16:39:38
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden services …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\Hexacto\Kasparov Chessmate\KasparovChess.exe”="C:\Program Files\Hexacto\Kasparov Chessmate\KasparovChess.exe:
:Disabled:KasparovChess”
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“C:\Program Files\PPStream\PPStream.exe”="C:\Program Files\PPStream\PPStream.exe:
:Enabled:PPStream”
“C:\Program Files\MSN Messenger\msnmsgr.exe”=“C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1"
“C:\Program Files\MSN Messenger\livecall.exe”="C:\Program Files\MSN Messenger\livecall.exe:
:Enabled:Windows Live Messenger 8.1 (Phone)”
“C:\Program Files\Qianhong\Qianhong.exe”=“C:\Program Files\Qianhong\Qianhong.exe::Disabled:Qianhong Application"
“C:\Program Files\Tencent\QQ\QQ.exe”="C:\Program Files\Tencent\QQ\QQ.exe:
:Disabled:QQ”
“C:\Program Files\TVAnts\Tvants.exe”=“C:\Program Files\TVAnts\Tvants.exe::Enabled:TVAnts"
“C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe”="C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:
:Enabled:AOL TopSpeed”
“C:\Program Files\Common Files\AOL\ACS\AOLDial.exe”=“C:\Program Files\Common Files\AOL\ACS\AOLDial.exe::Enabled:AOL Connectivity Service Dialer"
“C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe”="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:
:Enabled:AOL Connectivity Service”
“C:\Program Files\Common Files\AOL\Loader\aolload.exe”=“C:\Program Files\Common Files\AOL\Loader\aolload.exe::Enabled:AOL Loader"
“C:\Program Files\Common Files\AOL\1177552405\ee\aolsoftware.exe”="C:\Program Files\Common Files\AOL\1177552405\ee\aolsoftware.exe:
:Enabled:AOL Services”
“C:\Program Files\Common Files\AOL\1177552405\ee\AOLOpenRide.exe”=“C:\Program Files\Common Files\AOL\1177552405\ee\AOLOpenRide.exe::Enabled:AOL OpenRide"
“C:\Program Files\Tencent\Foxmail\Foxmail.exe”="C:\Program Files\Tencent\Foxmail\Foxmail.exe:
:Enabled:Internet Mail Client”
“C:\Program Files\Messenger\MSMSGS.EXE”=“C:\Program Files\Messenger\MSMSGS.EXE::Enabled:Windows Messenger"
“C:\Program Files\PPLive\PPLive.exe”="C:\Program Files\PPLive\PPLive.exe:
:Enabled:PPLive”
“D:\LeapFTP-v2.76\LeapFTP.exe”=“D:\LeapFTP-v2.76\LeapFTP.exe::Enabled:FTP 客户端工具"
“C:\Program Files\Common Files\AOL\1201394859\ee\aolsoftware.exe”="C:\Program Files\Common Files\AOL\1201394859\ee\aolsoftware.exe:
:Enabled:AOL Services”
“C:\Program Files\Common Files\AOL\1201394859\ee\AOLOpenRide.exe”=“C:\Program Files\Common Files\AOL\1201394859\ee\AOLOpenRide.exe::Enabled:AOL OpenRide"
“C:\Program Files\Mozilla Firefox\firefox.exe”="C:\Program Files\Mozilla Firefox\firefox.exe:
:Enabled:Firefox”
“C:\Program Files\Internet Explorer\iexplore.exe”=“C:\Program Files\Internet Explorer\iexplore.exe::Enabled:Internet Explorer"
“D:\website\uploadtool\HA_LeapFTP2.7.6.613_yfy\LeapFTP.exe”="D:\website\uploadtool\HA_LeapFTP2.7.6.613_yfy\LeapFTP.exe:
:Enabled:FTP 客户端工具”
“C:\Program Files\Shareaza Applications\Shareaza\Shareaza.exe”=“C:\Program Files\Shareaza Applications\Shareaza\Shareaza.exe::Enabled:Shareaza"
“C:\Program Files\Real\RealPlayer\RealPlay.exe”="C:\Program Files\Real\RealPlayer\RealPlay.exe:
:Enabled:RealPlayer”
“C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe::Enabled:Skype"
“C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe”="C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe:
:Enabled:Thunder”
“C:\WINDOWS\system32\Isass.exe”=“C:\WINDOWS\system32\Isass.exe::Enabled:Local Security Authority Service"
“C:\WINDOWS\system32\qmgh.exe”="C:\WINDOWS\system32\qmgh.exe:
:Enabled:@xpsp2res.dll,-22005”
“C:\WINDOWS\system32\hrldtbda.exe”=“C:\WINDOWS\system32\hrldtbda.exe::Enabled:@xpsp2res.dll,-22005"
“C:\WINDOWS\system32\awhrndin.exe”="C:\WINDOWS\system32\awhrndin.exe:
:Enabled:@xpsp2res.dll,-22005”
“C:\WINDOWS\system32\mqftx.exe”=“C:\WINDOWS\system32\mqftx.exe::Enabled:@xpsp2res.dll,-22005"
“C:\WINDOWS\system32\txkoiuku.exe”="C:\WINDOWS\system32\txkoiuku.exe:
:Enabled:@xpsp2res.dll,-22005”
“C:\WINDOWS\system32\bhsfb.exe”=“C:\WINDOWS\system32\bhsfb.exe::Enabled:@xpsp2res.dll,-22005"
“C:\WINDOWS\system32\nysd.exe”="C:\WINDOWS\system32\nysd.exe:
:Enabled:@xpsp2res.dll,-22005”
“C:\WINDOWS\system32\baxdhb.exe”=“C:\WINDOWS\system32\baxdhb.exe::Enabled:@xpsp2res.dll,-22005"
“C:\WINDOWS\system32\nwymdv.exe”="C:\WINDOWS\system32\nwymdv.exe:
:Enabled:@xpsp2res.dll,-22005”
“C:\WINDOWS\system32\wstmp.exe”=“C:\WINDOWS\system32\wstmp.exe::Enabled:@xpsp2res.dll,-22005"
“C:\WINDOWS\system32\tsynlelf.exe”="C:\WINDOWS\system32\tsynlelf.exe:
:Enabled:@xpsp2res.dll,-22005”
“C:\WINDOWS\system32\bxopb.exe”=“C:\WINDOWS\system32\bxopb.exe::Enabled:@xpsp2res.dll,-22005"
“C:\WINDOWS\system32\bxix.exe”="C:\WINDOWS\system32\bxix.exe:
:Enabled:@xpsp2res.dll,-22005”
“C:\WINDOWS\system32\czorq.exe”=“C:\WINDOWS\system32\czorq.exe::Enabled:@xpsp2res.dll,-22005"
“C:\Program Files\eMule\emule.exe”="C:\Program Files\eMule\emule.exe:
:Disabled:eMule”
“C:\Program Files\Tencent\Foxmail\FoxHot.exe”=“C:\Program Files\Tencent\Foxmail\FoxHot.exe:*:Disabled:Foxmail-Hotmail Proxy Application”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:
:Enabled:@xpsp3res.dll,-20000”
“C:\Program Files\MSN Messenger\msnmsgr.exe”=“C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1"
“C:\Program Files\MSN Messenger\livecall.exe”="C:\Program Files\MSN Messenger\livecall.exe:
:Enabled:Windows Live Messenger 8.1 (Phone)”

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 19 Mar 2008 39,936 …H. — “C:\WINDOWS\11.exe”
Wed 25 Aug 2004 1,024 …HR — “C:\WINDOWS\system32\NTICDMK32.dll”
Wed 25 Aug 2004 1,024 …HR — “C:\WINDOWS\system32\NTIMPEG2.dll”
Fri 27 Aug 2004 401 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv18.bak”
Fri 27 Aug 2004 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak”
Wed 13 Jun 2007 79,360 A…H. — “C:\System Volume Information_restore{A7D1B387-3878-4CEE-A162-4E106DA72DC2}\RP3\A0002033.exe”
Thu 24 Jan 2008 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT2.tmp”
Wed 10 Jan 2007 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp”
Wed 12 Oct 2005 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6752e343d22c025be1f290a6267a146d\BIT5.tmp”
Fri 9 Jun 2006 401 A…H. — “C:\Documents and Settings\TAM\My Documents\My Music\License Backup\drmv1lic.bak”
Fri 27 Aug 2004 4,348 …H. — “C:\Documents and Settings\TAM\My Documents\My Music\License Backup\drmv1key.bak”
Thu 30 Sep 2004 312 A.SH. — “C:\Documents and Settings\TAM\My Documents\My Music\License Backup\drmv2key.bak”
Mon 10 Dec 2007 22,528 …H. — “C:\Documents and Settings\TAM\My Documents\My Scribbles\TCG Columns~WRL0500.tmp”
Tue 11 Dec 2007 30,208 …H. — “C:\Documents and Settings\TAM\My Documents\My Scribbles\TCG Columns~WRL3143.tmp”
Tue 11 Dec 2007 32,768 …H. — “C:\Documents and Settings\TAM\My Documents\My Scribbles\TCG Columns~WRL3997.tmp”
Tue 11 Dec 2007 31,232 …H. — “C:\Documents and Settings\TAM\My Documents\My Scribbles\TCG Columns~WRL2037.tmp”
Tue 11 Dec 2007 31,232 …H. — “C:\Documents and Settings\TAM\My Documents\My Scribbles\TCG Columns~WRL1517.tmp”
Mon 24 Mar 2008 35,840 …H. — “C:\Documents and Settings\TAM\My Documents\My Scribbles\TCG Columns~WRL0001.tmp”
Tue 4 Dec 2007 43,008 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL0003.tmp”
Tue 11 Dec 2007 24,064 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL1397.tmp”
Tue 11 Dec 2007 25,088 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL1790.tmp”
Tue 11 Dec 2007 25,088 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL2178.tmp”
Fri 5 Jan 2007 139,776 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL1523.tmp”
Sun 10 Apr 2005 24,576 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL0474.tmp”
Tue 11 Dec 2007 25,088 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL0546.tmp”
Tue 11 Dec 2007 26,112 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL0253.tmp”
Tue 11 Dec 2007 27,136 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL2679.tmp”
Tue 11 Dec 2007 26,624 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL0958.tmp”
Tue 11 Dec 2007 29,184 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL3890.tmp”
Tue 11 Dec 2007 29,184 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL3091.tmp”
Tue 11 Dec 2007 30,208 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL3489.tmp”
Tue 11 Dec 2007 30,208 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL1794.tmp”
Tue 11 Dec 2007 32,256 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL2192.tmp”
Thu 20 Dec 2007 23,552 …H. — “C:\Documents and Settings\TAM\Application Data\Microsoft\Word~WRL0004.tmp”
Sun 24 Oct 2004 20,480 …H. — “C:\Documents and Settings\TAM\My Documents\My Scribbles\Poetry\Made in New Zealand Poetry 2003-2004~WRL0001.tmp”

Finished!

OK, and I’ll attach a report of the Hijackthis I just did too.

and… I’m going to whisper this because I’m scared the mailman will hear me and return but… I’ve been connected to the internet for 17 minutes now and not a single email has been sent!!! 8)

awaiting your diagnosis, thanks

There was nothing wrong with CharlieO’s suggestion, those keys’s will go this time. And his question regarding Norton, was that your previous antivirus? Do you know which version you had?

Go to add/ remove programs and uninstall the followin programs if present.

Tencent
Smiley Central
My Web Search
My Way Speedbar (Smiley Central or other FWP as applicable)
My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
Search Assistant - My Way

Open HJT, run a system scan only, check mark these lines if present

O9 - Extra button: ¨°??e¨¤¡ä¨°?¨¤?¨¦??? - {7DBC6ADB-5788-4FB9-AEC3-B40A58AC11DF} - http://www.yiqilai.com (file missing)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra ‘Tools’ menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O23 - Service: Windows System Event (SystemLog) - Unknown owner - C:\WINDOWS\TEMP\Servlee.ex (file missing)

Close all other browsers/windows, click fix, close HJT.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Hi oldman,

Bloody QQ! I installed QQ (Tencent) a year or so back but removed it AGES ago. I know bits of it have lingered on the system >:(

Yes my previous anti-v was Norton. I don’t know the version (2004 perhaps?) but I can tell you I’ve had it for 3 years and just paid every year for an annual update. The last month I’ve had big problems with the auto-update and nothing could be done to get it to actually update, (even though it said it was updating but then the next day it kept telling me it was out of date) including their suggestions, so in the end I got fed up and ditched it… but not before I did some research and found avast!

OK, I ran the combofix and HJT again and attach the results,

How’s it looking ?

I ran into a whole pile of unfamilar files. We’ll have to test some random ones to see what we are dealing with. You also have autorun virus or two. Don’t use any usb devices for now.

when did you add these programs?

360safe
ZoneAlarmSB

Please submit these files for analysis

To submit a file to virustotal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\czorq.exe
C:\WINDOWS\system32\tsynlelf.exe
C:\WINDOWS\system32\nysd.exe
C:\WINDOWS\system32\txkoiuku.exe
C:\WINDOWS\system32\nysd.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Then

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

A friend of mine installed both the 360Safe and Zone alarm about 2 days ago, just after I swapped my anti-virus, to clean up my system. I deleted them from Add/Remove Progs the same day.

Please find the links to the webpage results for the file scans. I wasn’t sure if you wanted me to copy and paste, but the link seems easier. I only scanned 4 as one appears to be a duplicate ? They all came up with the same results!

http://www.virustotal.com/analisis/74b8d9752155beb9be4564a1f4f2392b

http://www.virustotal.com/analisis/b26060bda1f8599cd625d34090f61794

http://www.virustotal.com/analisis/9abbb2ab9b94a6c720caf1cb4e88ad8f

http://www.virustotal.com/analisis/9ddb3c3451eb0ad63fe3ff7f802fc0c7

Also here is the Malware log information:

Malwarebytes’ Anti-Malware 1.09
Database version: 552

Scan type: Quick Scan
Objects scanned: 29433
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{c4ee31f3-4768-11d2-be5c-00a0c9a83da1} (Rogue.WinFixer) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars{c4ee31f3-4768-11d2-be5c-00a0c9a83da1} (Rogue.WinFixer) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newcocomediapop.popcoco (Trojan.Clicker) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newcocomediapop.popcoco.1 (Trojan.Clicker) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newspoupupad.aflogc (Trojan.Clicker) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newspoupupad.aflogc.1 (Trojan.Clicker) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{f9ba1aa9-cad4-4c14-bde6-922dff5f6f38} (Adware.Cinmus) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPV (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDSCNP (Adware.Cinmus) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\CPV (Trojan.Downloader) → Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\mprmsgse.axz (Adware.Cinmus) → Quarantined and deleted successfully.

As usual, I await your instructions. Thanks

Which is the homepage of 360Safe?

Thanks. I’d like to know more about 360Safe, all I know it’s a Chinese trojan remover/disk cleaner. The homepage would be usefull as it left some junk behind.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\wstmp.exe C:\WINDOWS\system32\nwymdv.exe C:\WINDOWS\system32\[u]0[/u]13b C:\WINDOWS\system32\baxdhb.exe C:\WINDOWS\system32\bhsfb.exe C:\WINDOWS\system32\txkoiuku.exe C:\WINDOWS\system32\nysd.exe C:\WINDOWS\system32\6781ab8a C:\WINDOWS\system32\mqftx.exe C:\WINDOWS\system32\awhrndin.exe C:\WINDOWS\system32\hrldtbda.exe C:\WINDOWS\7881ab8a C:\WINDOWS\system32\qmgh.exe C:\WINDOWS\system32\bxopb.exe C:\WINDOWS\system32\tsynlelf.exe C:\WINDOWS\system32\wstmp.exe C:\xcvhcb.exe C:\WINDOWS\system32\czorq.exe

DirLook::
C:\WINDOWS\system32\drivers\pcihdd.sys
C:\WINDOWS\system32\15B63

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Some number files to check

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

[bC:\WINDOWS\system32-95-127-85-118
C:\WINDOWS\121-127-85-118 [/b]

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Good morning :slight_smile:

360Safe

Homepage: www.360.cn
But it was downloaded from a different website: http://soft.ylmf.com/
Downloaded version was v4.0
Chinese name: 360安全卫士

I will do the other tasks and report back in a while.

OK. Virustotal scans of the two files, both came up 0/32. Here are the links:

http://www.virustotal.com/analisis/5a0017c5595be0a89c514162b545fad3

http://www.virustotal.com/analisis/105818b112dfad1f1c1c5fd66a7aeab6

HJT log attached and Combofix log below:

ComboFix 08-03-25.4 - TAM 2008-03-28 9:39:12.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.175 [GMT 8:00]
Running from: C:\Documents and Settings\TAM\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\TAM\Desktop\CFscript.txt

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\7881ab8a
C:\WINDOWS\system32[u]0[/u]13b
C:\WINDOWS\system32\6781ab8a
C:\WINDOWS\system32\awhrndin.exe
C:\WINDOWS\system32\baxdhb.exe
C:\WINDOWS\system32\bhsfb.exe
C:\WINDOWS\system32\bxopb.exe
C:\WINDOWS\system32\czorq.exe
C:\WINDOWS\system32\hrldtbda.exe
C:\WINDOWS\system32\mqftx.exe
C:\WINDOWS\system32\nwymdv.exe
C:\WINDOWS\system32\nysd.exe
C:\WINDOWS\system32\qmgh.exe
C:\WINDOWS\system32\tsynlelf.exe
C:\WINDOWS\system32\txkoiuku.exe
C:\WINDOWS\system32\wstmp.exe
C:\xcvhcb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\7881ab8a
C:\WINDOWS\system32[u]0[/u]13b
C:\WINDOWS\system32\6781ab8a
C:\WINDOWS\system32\awhrndin.exe
C:\WINDOWS\system32\baxdhb.exe
C:\WINDOWS\system32\bhsfb.exe
C:\WINDOWS\system32\bxopb.exe
C:\WINDOWS\system32\czorq.exe
C:\WINDOWS\system32\hrldtbda.exe
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mqftx.exe
C:\WINDOWS\system32\nwymdv.exe
C:\WINDOWS\system32\nysd.exe
C:\WINDOWS\system32\qmgh.exe
C:\WINDOWS\system32\tsynlelf.exe
C:\WINDOWS\system32\txkoiuku.exe
C:\WINDOWS\system32\wstmp.exe
C:\xcvhcb.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-27 18:46 . 2008-03-27 18:46 d-------- C:\Program Files\Malwarebytes’ Anti-Malware
2008-03-27 18:46 . 2008-03-27 18:46 d-------- C:\Documents and Settings\TAM\Application Data\Malwarebytes
2008-03-27 18:46 . 2008-03-27 18:46 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-26 16:33 . 2008-03-26 16:33 d-------- C:\WINDOWS\ERUNT
2008-03-26 16:31 . 2008-03-26 07:16 d-------- C:\SDFix
2008-03-26 11:02 . 2008-03-26 11:02 d-------- C:\HiJackThis
2008-03-26 10:33 . 2008-03-26 10:33 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-26 10:33 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-26 10:11 . 2008-03-26 10:11 d-------- C:\WINDOWS\SxsCaPendDel
2008-03-26 09:45 . 2008-03-26 09:45 d-------- C:\Program Files\Spyware Terminator
2008-03-26 09:45 . 2008-03-26 09:45 d-------- C:\Documents and Settings\TAM\Application Data\Spyware Terminator
2008-03-26 09:45 . 2008-03-26 09:45 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-26 09:45 . 2008-03-26 09:45 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-26 09:22 . 2008-03-26 09:22 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-26 09:22 . 2008-03-26 09:22 d-------- C:\Documents and Settings\TAM\Application Data\SUPERAntiSpyware.com
2008-03-26 09:22 . 2008-03-26 09:22 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-23 16:38 . 2008-03-23 16:38 d-------- C:\Program Files\Alwil Software
2008-03-23 16:38 . 2007-12-04 21:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-23 16:38 . 2007-12-04 20:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-23 16:38 . 2007-12-04 22:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-23 16:38 . 2007-12-04 22:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-23 16:38 . 2007-12-04 22:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-23 16:38 . 2007-12-04 22:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-23 16:38 . 2007-12-04 22:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-23 13:32 . 2007-12-31 19:56 297,984 --------- C:\WINDOWS\system32\dllcache\msctf.dll
2008-03-23 13:32 . 2007-11-22 19:43 78,720 --------- C:\WINDOWS\system32\dllcache\sdbus.sys
2008-03-23 13:32 . 2007-11-22 19:23 12,032 --------- C:\WINDOWS\system32\dllcache\sffdisk.sys
2008-03-23 13:32 . 2007-11-22 19:23 11,008 --------- C:\WINDOWS\system32\dllcache\sffp_sd.sys
2008-03-23 13:32 . 2007-11-22 19:23 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-03-23 13:32 . 2007-11-22 19:23 10,240 --------- C:\WINDOWS\system32\dllcache\sffp_mmc.sys
2008-03-23 13:15 . 2008-03-23 13:15 58,880 --a------ C:\WINDOWS\system32\bxix.exe
2008-03-23 12:06 . 2008-03-23 12:07 dr------- C:\WINDOWS\system32\dnsq.dll
2008-03-23 11:43 . 2008-03-23 11:43 dr------- C:\WINDOWS\system32\wxptdi.sys
2008-03-23 11:43 . 2008-03-23 11:43 dr------- C:\WINDOWS\system32\fat32.sys
2008-03-23 11:43 . 2008-03-23 11:43 dr------- C:\WINDOWS\system32\drivers\usb32k.sys
2008-03-23 11:43 . 2008-03-23 11:43 dr------- C:\WINDOWS\system32\drivers\puid.sys
2008-03-23 11:43 . 2008-03-23 11:43 dr------- C:\WINDOWS\system32\drivers\phy.sys
2008-03-23 11:43 . 2008-03-23 11:43 dr------- C:\WINDOWS\system32\drivers\pcihdd.sys
2008-03-23 11:43 . 2008-03-23 11:43 dr------- C:\WINDOWS\system32\drivers\pcidisk.sys
2008-03-23 11:43 . 2008-03-23 11:43 dr------- C:\WINDOWS\system32\drivers\pcibus.sys
2008-03-23 11:43 . 2008-03-23 11:43 dr------- C:\WINDOWS\system32\drivers\msaclue.sys
2008-03-23 11:43 . 2008-03-23 11:43 dr------- C:\WINDOWS\system32\drivers\ati32srv.sys
2008-03-23 11:16 . 2008-03-23 11:16 d-------- C:\Program Files\360safe
2008-03-23 09:37 . 2008-03-23 11:23 78 --a------ C:\WINDOWS\121-127-85-118
2008-03-22 11:52 . 2008-03-22 11:52 d-------- C:\Program Files\ZoneAlarmSB
2008-03-22 11:50 . 2008-03-22 11:50 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-22 10:31 . 2008-03-22 10:31 d–hs---- C:\FOUND.000
2008-03-22 07:18 . 2008-03-23 11:23 30 --a------ C:\WINDOWS\system32-95-127-85-118
2008-03-22 07:17 . 2008-03-22 07:17 90 --a------ C:\WINDOWS\120-127-85-118
2008-03-22 07:16 . 2008-03-22 07:16 d-------- C:\WINDOWS\system32\15B63
2008-03-22 07:16 . 2008-03-22 07:16 8 --a------ C:\WINDOWS\system32-111-127-85-118
2008-03-22 07:16 . 2008-03-22 07:18 5 --a------ C:\WINDOWS\system32\num.ini
2008-03-21 20:24 . 2008-03-21 20:24 d-------- C:\WINDOWS\system32\inf
2008-03-21 19:20 . 2008-03-21 19:20 d-------- C:\Program Files\mfvz
2008-03-17 20:08 . 2008-03-17 20:08 d-------- C:\Program Files\Yiqilai
2008-03-14 22:39 . 2008-03-14 22:39 d-------- C:\Program Files\SogouInput
2008-03-14 22:20 . 2006-01-09 15:01 86,016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
2008-03-14 22:19 . 2008-03-14 22:19 d-------- C:\Program Files\Giganology
2008-03-14 21:56 . 2008-03-22 07:16 217 --a------ C:\WINDOWS\system32\resiifers.ini
2008-03-14 17:53 . 2008-03-14 17:53 d-------- C:\Program Files\中国建设银行