suspicious message alerts

Viruses and worms
1

Hi,

I am currently receiving about 10 suspicious message alerts per minute, which, as you can imagine, is infuriating.

I have changed my system setting to show all hidden files and folders and then run an Avast boot scan, to no avail. I have also used Ccleaner and spybot search and destroy. All these programs found a few problems and ‘fixed’ them but I still get the suspicious messages.

I have done a hijack this scan and uploaded the results to virustotal.com which said eveything was fine. Hang on WTF! I just copied the results from virustotal.com, which appear exactly as below except with current status marked as finished, but when I paste it appears as:

File hijack_this_logfile.txt received on 03.24.2009 20:25:53 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)

That is defintley weird, no?

I was going to paste the full Hikackthis log file here as well but it will exceed the 10000 character limit so I will try and do it in a few parts. Anyone who can help me on this in anyway will be a hero.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:20:37, on 24/03/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\fslhjmr.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Users\Owner\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\ACT\Act for Windows\ActSage.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

2

this is the rest of my hijack this logfile:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Users\Owner\cwpylgc.exe \s
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM..\Run: [StartCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe”
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe”
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe
O4 - HKLM..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [Act.Outlook.Service] “C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe”
O4 - HKLM..\Run: [Act! Preloader] “C:\Program Files\ACT\Act for Windows\ActSage.exe” -preload
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [MacDrive application] “C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe”
O4 - HKLM..\Run: [Getting started with MacDrive] “C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe” /auto
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [MacDrive7.0.4TimeOutPatch] \TimeOutPatch.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [fslhjmr] C:\Windows\system32\fslhjmr.exe \u
O4 - HKCU..\Run: [eFax 4.4] “C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe” /R
O4 - HKCU..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -startup
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - Startup: eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Attach Web page to ACT! contact… - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ACT! Scheduler - Sage Software, Inc. - C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MacDrive service (MacDriveService) - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\program files\common files\protexis\license service\psiservice_2.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe


End of file - 11061 bytes

3

Welcome to the forums, rossyross. :slight_smile:

An analysis of your HJT log shows the following :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

The below entries were rated as questionable or unknown :

C:\Windows\System32\fslhjmr.exe
There were no search results for this entry. This makes it very suspicious.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Unnecessary (deactivated) entry that can be fixed. Belongs to Yahoo Companion.

O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
Unnecessary (deactivated) entry that can be fixed. Belongs to ACT! 2005

O4 - HKLM..\Run: [MacDrive7.0.4TimeOutPatch] \TimeOutPatch.EXE
Do you use MacDrive? If so, this one could be OK.
http://www.sysinfo.org/startuplist.php?filter=&count=50&offset=50&letter=T

O4 - HKLM..\Run: [fslhjmr] C:\Windows\system32\fslhjmr.exe \u
There were no search results for this entry. This makes it very suspicious.

O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
Unnecessary (deactivated) entry that can be fixed.

O9 - Extra ‘Tools’ menuitem: Attach Web page to ACT! contact… - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
Unnecessary (deactivated) entry that can be fixed.

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
Belongs to OpenDNS and should be OK.

So, there are 2 entries that are very suspicious. I hope this info will give someone help to resolve your problem.

4
I have done a hijack this scan and uploaded the results to virustotal.com which said eveything was fine. Hang on WTF! I just copied the results from virustotal.com, which appear exactly as below except with current status marked as finished, but when I paste it appears as:
I don't know the specifics of why the file did not upload, producing the error message, but the virus total service is for suspicious or unknown file, not log file analysis. Any results would have been meaningless.

What you should do, in the light of CharleyO’s post, is to locate that C:\Windows\System32\fslhjmr.exe and upload that to virus total.

Any chance you could advise us the content of the suspicious alert messages, please? The content (what is flagged) is important for determining any needed course of action. (Which may include deleting the file mentioned, but don’t rush into that without a bit more research.)

5

Hi Guys, Thanks for your replies.

Here are 2 samples of the messages that come up:

There are too many identical e-mails in appointed time:

Sender: “Natosha Taulman” wldbulletproof@concordtruckinc.com
Recipient: “Klueter” klueter@claranet.de
Subject: Frohe Weihnachten!

There are too many identical e-mails in appointed time

Sender: “Rossana Polselli” wfirestrain@dgabc.com.br
Recipient: “Knowableymfd” knowableymfd@hamanngroup.de
Subject: Weihnachtsgeschenk fuer Sie!

They are not always in German and of course the sender, receiver and subject vary.

I have deleted all of the files suggested by Charley O and am still receiving the message. I have task manager open just now and noticed cwpylgc.exe running at around 21k. I just googles to find out what this is and the only result was this post, where it appears in my log file as F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Users\Owner\cwpylgc.exe \s. Could this be the offender?

6

The two German emails have ‘Merry Christmas’ and ‘A Christmas gift for you!’ as their subject headers.

Very suspicious.

Have you tried running Malwarebytes and SuperantiSpyware? They are specialised programs designed to detect and remove malware.

Post the logs back here and I’m sure the experts on this forum will further assist you.

7

This message “There are too many identical e-mails in appointed time:” is an indication that you have an undetected/hidden trojan spambot on your system.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

8

Hi Guys,

Thanks again for your pearls of wisdom. I have followed your advice and ran Malwarebytes and superantispyware and they seem to have done the trick (I will post my mbam log below). I am now looking for a new firewall to stop this from happening again as I feel the windows one is not sufficient so if anyone has any recommendations of a good freeware firewall then please let me know. Thanks Again!

Malwarebytes’ Anti-Malware 1.35
Database version: 1921
Windows 6.0.6001 Service Pack 1

31/03/2009 09:16:42
mbam-log-2009-03-31 (09-16-42).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 166183
Time elapsed: 1 hour(s), 13 minute(s), 6 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\Users\Owner\cwpylgc.exe (Backdoor.Bot) → Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\totalvid (Trojan.DNSChanger) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Rootkit.Trace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) → Data: c:\users\owner\cwpylgc.exe → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Owner\cwpylgc.exe (Backdoor.Bot) → Delete on reboot.
C:\Users\Owner\Downloads\Avast Antivirus Home 4.7\keygen.exe (Trojan.TDSS) → Quarantined and deleted successfully.
C:\Users\Owner\Downloads\Avast Antivirus Profesional 4.7.892\keygen.exe (Trojan.TDSS) → Quarantined and deleted successfully.

9
  • There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

Many forum users are using all of the above:
PC Tools Firewall seems to have the least user headaches as it doesn’t seem to be constantly asking the user questions about this and that.
I think you can see by my comments on Zone Alarm free you have to be careful that you are not using the pro trial version.
Online Armor for the most parts fine but it has caused some users grief after avast program updates and that is something you have to watch out for.
Comodo is now a suite and you have to do a custom install so as not to install the antivirus element, of all the firewalls listed this seems to be the noisiest in asking questions, depending on settings and elements used, so it could be daunting for those not to familiar with firewalls or their systems.