mass mailer and I cant find it or delete it!

Viruses and worms
1

Avast will detect and delete the virus, it only appears when I connect to the internet.
Its called Graball in some of the files.
Heres my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 01:49, on 2008-01-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\lolifox\lolifox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM..\Run: [LaunchApp] Alaunch
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [a-squared] “C:\Program Files\a-squared Anti-Malware\a2guard.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk121CPUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip..{B561C164-D21A-4E4E-A190-123C9DDA3F60}: NameServer = 4.2.2.1,4.2.2.2
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Im running XP home on a laptop.
Ive tried MANY anti spyware and rootkit programs, all of the ones recomended to simmilar cases here on the forums.
I have attatched my latest avast log.
I dont know what to do this thing is mass emailing and slowing my system down, please help!

Also my system restore function will not restore, I dont know why but it just tells me it cannot no matter how far back I go.

2

Here is my last AVG scan

AVG Anti-Spyware - Scan Report

  • Created at: 02:31 2008-01-30
  • Scan result:
    C:\Documents and Settings\pc\Cookies\pc@2o7[1].txt → TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@2o7[3].txt → TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@2o7[4].txt → TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@2o7[5].txt → TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@msnportal.112.2o7[1].txt → TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@aavalue[2].txt → TrackingCookie.Aavalue : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@paidmarketingpanel.aavalue[1].txt → TrackingCookie.Aavalue : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@stats.adbrite[1].txt → TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@stats.adbrite[2].txt → TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@ads.addynamix[1].txt → TrackingCookie.Addynamix : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@ads.addynamix[2].txt → TrackingCookie.Addynamix : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@ads.addynamix[3].txt → TrackingCookie.Addynamix : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@ads.addynamix[4].txt → TrackingCookie.Addynamix : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@rotator.adjuggler[1].txt → TrackingCookie.Adjuggler : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@www.adobe[2].txt → TrackingCookie.Adobe : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@adrevolver[2].txt → TrackingCookie.Adrevolver : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@media.adrevolver[2].txt → TrackingCookie.Adrevolver : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@z1.adserver[2].txt → TrackingCookie.Adserver : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@z1.adserver[3].txt → TrackingCookie.Adserver : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@adtech[2].txt → TrackingCookie.Adtech : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@advertising[2].txt → TrackingCookie.Advertising : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@advertising[3].txt → TrackingCookie.Advertising : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@advertising[4].txt → TrackingCookie.Advertising : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@advertising[5].txt → TrackingCookie.Advertising : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@servedby.advertising[1].txt → TrackingCookie.Advertising : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@atdmt[1].txt → TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@atdmt[2].txt → TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@atdmt[3].txt → TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@atdmt[4].txt → TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@bfast[2].txt → TrackingCookie.Bfast : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@bluestreak[2].txt → TrackingCookie.Bluestreak : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@bluestreak[3].txt → TrackingCookie.Bluestreak : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@bluestreak[4].txt → TrackingCookie.Bluestreak : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@bluestreak[5].txt → TrackingCookie.Bluestreak : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@citi.bridgetrack[1].txt → TrackingCookie.Bridgetrack : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@citi.bridgetrack[2].txt → TrackingCookie.Bridgetrack : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@citi.bridgetrack[3].txt → TrackingCookie.Bridgetrack : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@www.burstbeacon[1].txt → TrackingCookie.Burstbeacon : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@www.burstbeacon[2].txt → TrackingCookie.Burstbeacon : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@www.burstbeacon[3].txt → TrackingCookie.Burstbeacon : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@www.burstbeacon[4].txt → TrackingCookie.Burstbeacon : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@burstnet[1].txt → TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@burstnet[2].txt → TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@www.burstnet[2].txt → TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@casalemedia[1].txt → TrackingCookie.Casalemedia : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@centrport[2].txt → TrackingCookie.Centrport : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@clickbank[1].txt → TrackingCookie.Clickbank : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@cz11.clickzs[1].txt → TrackingCookie.Clickzs : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@cz5.clickzs[2].txt → TrackingCookie.Clickzs : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@cz5.clickzs[3].txt → TrackingCookie.Clickzs : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@vip.clickzs[1].txt → TrackingCookie.Clickzs : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@vip.clickzs[3].txt → TrackingCookie.Clickzs : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@connextra[2].txt → TrackingCookie.Connextra : Cleaned.
    C:\Documents and Settings\pc\Cookies\pc@data.coremetrics[1].txt → TrackingCookie.Coremetrics : Cleaned.
3

Nothing obvious apart from some adware crap:

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk121CPUS

http://www.pchell.com/support/mywebsearch.shtml

I think looking for rootkits is the right approach. What have you tried?

Try these if you haven’t already:

Panda Antirootkit
Blacklight
AVG Anti-Rootkit
Trend Micro Rootkit Buster
McAfee Rootkit Detective
Sophos AntiRootki

4

The mailer might be hidden by a rootkit, so try some of the tools Frank suggested.

You could also try the latest version of HJT, FileHippo Download - HiJackThis.

If you haven’t got this download, install, update and run it, preferably in safe mode.SUPERantispyware On-Demand only in free version.

5

Ive tried
Panda Antirootkit
Blacklight
AVG Anti-Rootkit
Sophos AntiRootk
Hijackthis
And im running the mcaffee one now, still nothing.
Is there maby a way to find what ports its using and disable them? I dont use mail programs on this machine so I dont care if it kills outlook, I only ever read mail on mail.com’s site.

[edit]
I tried windows port tracking utility and disabled many many ports, and if disable whats left the internet connection will be off, so basically Im looking at a reinstall, but I dont have my original disk (lost in last move) so I will be attempting to find a download for a recovery cd for an acer aspire 3002lci series, and its not going well…

6

Very strange!

Could just be something starting from somewhere not listed in Hijackthis! but actually hidden as such.

I’d suggest a few online scans:

Try some online scans. (Disable avast! while scanning.)

F-Secure

BitDefender

Panda

Trend Micro Housecall
ESET Online Scanner

You could also try Process Explorer to try to find the malware process.

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

7

Hi Gorbash,

Lets take a different look at some of the things happening on you computer.

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

<(leave default settings)>

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts

8

I attempted scans of the hardrive in my other computer by pulling my lappy’s drive and plugging it in with an adapter, then scanning using trendmicro corp edition, avast home, and many of the recomended rograms here in this thread. I failed to find the root cause of the issue, only the reocurrance of the “graball” trojan.
Thank you but upon finding the laptops resources taxed to the point my computer stops responding when I put it back to check I decided to format and reinstall, everythings fine now but I have lost much.
I appreciate the help offered, thank you all.