Help! Mysterious virus sending thousands of spam e-mails from my PC :(

[mauserme]

Whether an appinit_dll or winlogon_notify key,  not all 020 entries in HJT are bad.   Some caution is needed here about what we say should be deleted..

It would be better to post the HJT log so we can can see exactly what you have going on.

[DavidR]

I absolutely agree don't take any action without first posting the contents of the hijackthis.log file and getting advice on the action to take. messing with O20 entries could seriously ruin your day.

[Lisandro]

If you still detecting strange behaviors or you can scan and submit to on-line analysis the RunScanner log that would help to identify the problem and the solution.

That should be it, sorted, but you might want to reinstall your PC anyway to be on the safe side - that's my plan but then I am extra-cautious!

Like Bob, this is what I think about reformatting...
http://forum.avast.com/index.php?topic=30172.msg249246#msg249246

[lad from leigh]

this is the result of the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:05:48, on 01/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\sm56hlpr.exe
C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\VM_STI.EXE
C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Philips\Philips SPC210NC Webcam\TrayMin210.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\DAD\Escritorio\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\ARCHIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC210NC Webcam
O4 - HKLM\..\Run: [SsAAD.exe] C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Archivos de programa\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TrayMin210.exe.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\ARCHIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 7648 bytes

thanks to all for the help!

[DavidR]

You don't appear to be using a firewall or you are using XP's firewall (really need to look at one that protects against unauthorised outbound connections) or it is disabled ?

This can be fixed.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

This one although the files doesn't appear to be there (you should check)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

See http://fileinfo.prevx.com/adware/qqc6f641158518-MSAS22915957/MSASVC.EXE.html
and http://www.castlecops.com/o23list-2222.html

The msasvc.exe file if found should be uploaded for checking at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

If detected by multiple scanners but not avast send it to avast and fix the entry in HJT.

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

[lad from leigh]

i followed the path to try and find the file for up loading (O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)) but it isnt there! i deselected the hidden system files option to see if it came out but still no luck. i will be sorting a firewall out this week. you were right, i only had the xp running, i was a bit innocent in thinking i wouldnt need much more for what i do on the internet, any reccomendations?!
What about this file, is there any reason i can´t see it?
Thanks again.

[DavidR]

Some times though HJT reports the file missing, that may not be the case, so it is always important to check.

Check the other links I gave about this file and see if any of the associated files or registry entries exist on your system and report your findings.

Rub HJT again and check the fix box to the left of the two entries I mentioned and click the Fix button.

- There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
See http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php later set of results

[lad from leigh]

here are the results of runscanner log. will have to post it in 2 pages.
thanks.

Runscanner logfile http://www.runscanner.net

* = authenticode signed file
- = file not found

000 General info
----------------
Computer name : LEE
Creation time : 04/09/2007 1:01:08
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 6.0.2900.2180
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.0.3.0
Type of scan : Full scan
User Language : Español (alfabetización internacional)
User rights : Administrator
Windows folder : C:\WINDOWS

001 Running processes
---------------------
c:\archivos de programa\musicmatch\musicmatch jukebox\mmtask.exe (Musicmatch Inc.)
* c:\archivos de programa\alwil software\avast4\ashserv.exe (ALWIL Software)
* c:\archivos de programa\alwil software\avast4\aswupdsv.exe (ALWIL Software)
* c:\archivos de programa\alwil software\avast4\ashmaisv.exe (ALWIL Software)
* c:\archiv~1\alwils~1\avast4\ashdisp.exe (ALWIL Software)
* c:\archivos de programa\alwil software\avast4\ashwebsv.exe (ALWIL Software)
* c:\windows\vm_sti.exe (BIGDOG)
* c:\archivos de programa\google\googletoolbarnotifier\googletoolbarnotifier.exe (Google Inc.)
c:\archivos de programa\archivos comunes\installshield\updateservice\issch.exe (InstallShield Software Corporation)
* c:\windows\sm56hlpr.exe (Motorola Inc.)
* c:\windows\soundman.exe (Realtek Semiconductor Corp.)
* c:\docume~1\dad\config~1\temp\rar$ex00.796\runscanner.exe (Runscanner.net)
c:\archiv~1\sony\sonics~1\ssaad.exe
c:\archivos de programa\archivos comunes\sony shared\avlib\ssscsisv.exe (Sony Corporation)
c:\archivos de programa\philips\philips spc210nc webcam\traymin210.exe
c:\archivos de programa\winamp\winampa.exe
c:\archivos de programa\winrar\winrar.exe

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\archiv~1\alwils~1\avast4\ashdisp.exe (ALWIL Software)
* c:\windows\vm_sti.exe (BIGDOG)
c:\archiv~1\archiv~1\instal~1\update~1\isuspm.exe (InstallShield Software Corporation)
c:\archivos de programa\archivos comunes\installshield\updateservice\issch.exe (InstallShield Software Corporation)
c:\archivos de programa\musicmatch\musicmatch jukebox\mmtask.exe (Musicmatch Inc.)
c:\windows\system32\nerocheck.exe (Ahead Software Gmbh)
* C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)
* C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
c:\archiv~1\sony\sonics~1\ssaad.exe
- c:\archivos de programa\archivos comunes\real\update_ob\realsched.exe
c:\archivos de programa\winamp\winampa.exe

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\archivos de programa\real\realplayer\realplay.exe (RealNetworks, Inc.)
* c:\archivos de programa\google\googletoolbarnotifier\googletoolbarnotifier.exe (Google Inc.)

005 C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
--------------------------------------------------------------------
c:\archiv~1\adobe\acroba~1.0\reader\reader~1.exe (Adobe Systems Incorporated)
c:\archiv~1\philips\philip~1\traymi~1.exe

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
C:\WINDOWS\microsoft.net\framework\v1.1.4322\aspnet_state.exe (ASP.NET State Service)
* c:\archivos de programa\alwil software\avast4\ashserv.exe (avast! Antivirus)
* c:\archivos de programa\alwil software\avast4\aswupdsv.exe (avast! iAVS4 Control Service)
* c:\archivos de programa\alwil software\avast4\ashmaisv.exe (avast! Mail Scanner)
* c:\archivos de programa\alwil software\avast4\ashwebsv.exe (avast! Web Scanner)
* c:\archivos de programa\google\common\google updater\googleupdaterservice.exe (Google Updater Service)
- c:\windows\system32\msasvc.exe (Microsoft authenticate service)
c:\archivos de programa\archivos comunes\sony shared\avlib\mscsptisrv.exe (MSCSPTISRV)
c:\archivos de programa\archivos comunes\sony shared\avlib\pacsptisvr.exe (PACSPTISVR)
c:\archivos de programa\archivos comunes\sony shared\avlib\ssscsisv.exe (SonicStage SCSI Service)
c:\archivos de programa\archivos comunes\sony shared\avlib\sptisrv.exe (Sony SPTI Service)

[lad from leigh]

..........

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
* C:\WINDOWS\system32\drivers\admjoy.sys (Aureal Game Port Enumerator)
* C:\WINDOWS\system32\drivers\ptilink.sys (Controlador de vínculo paralelo directo)
* C:\WINDOWS\system32\drivers\rtl8139.sys (Controlador de Windows NT del adaptador Fast Ethernet PCI basado en Realtek  RTL8139(A/B/C))
* C:\WINDOWS\system32\drivers\smserial.sys (Motorola SM56 Modem WDM Driver)
* C:\WINDOWS\system32\drivers\usbvm31b.sys (Philips SPC210NC Webcam)
C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
* C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
* C:\WINDOWS\system32\drivers\alcxwdm.sys (Service for Realtek AC97 Audio (WDM))

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
* c:\archiv~1\archiv~1\skype\skype4~1.dll (Skype Technologies) {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}

035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
------------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
* c:\archivos de programa\google\googletoolbar3.dll (Google Inc.) {2318C2B1-4965-11d4-9B18-009027A5CD4F}

044 HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
------------------------------------------------------------------
* c:\archivos de programa\google\googletoolbar3.dll (Google Inc.) {2318C2B1-4965-11D4-9B18-009027A5CD4F}

045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
----------------------------------------------------------------
* c:\archivos de programa\google\googletoolbar3.dll (Google Inc.) {2318C2B1-4965-11D4-9B18-009027A5CD4F}

047 Trusted zones
-----------------
Zone: musicmatch.com : *.musicmatch.com
Zone: musicmatch.com : *.musicmatch.com

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
GUID / CLSID not found {7E853D72-626A-48EC-A868-BA8D5E23E045}
* c:\archivos de programa\adobe\acrobat 7.0\activex\acroiehelper.dll (Adobe Systems Incorporated) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
* c:\archiv~1\spybot~1\sdhelper.dll (Safer Networking Limited) {53707962-6F74-2D53-2644-206D7942484F}
* c:\archivos de programa\google\googletoolbar3.dll (Google Inc.) {AA58ED58-01DD-4d91-8333-CF10577473F7}
* c:\archivos de programa\google\googletoolbarnotifier\2.0.301.7164\swg.dll (Google Inc.) {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
* c:\archiv~1\skype\phone\ieplugin\skypei~1.dll (Skype Technologies S.A.) {22BF413B-C6D2-4d91-82A9-A0F997BA588C}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
* c:\archivos de programa\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
c:\archivos de programa\jetaudio\jetflext.dll (JetAudio, Inc.) {8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}
c:\archivos de programa\real\realplayer\rpshell.dll (RealNetworks, Inc.) {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
c:\archivos de programa\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}

062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
------------------------------------------------------------
c:\archivos de programa\adobe\acrobat 7.0\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
C:\WINDOWS\system32\mdimon.dll (Microsoft Corporation)

100 Internet Explorer settings
------------------------------
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Page_URL HKLM : http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default_Search_URL HKLM : http://www.google.com/ie
Search Page HKCU : http://www.google.com
Search Page HKLM : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchAssistant HKCU : http://www.google.com/ie
SearchAssistant HKLM : http://www.google.com/ie
SearchUrl HKCU : http://www.google.com/search?q=%s
Start Page HKCU : http://www.google.com/
Start Page HKLM : http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
* c:\windows\system32\macromed\flash\flash9c.ocx (Adobe Systems, Inc.) {D27CDB6E-AE6D-11CF-96B8-444553540000}

105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
-----------------------------------------------------
E&xportar a Microsoft Excel : res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
* c:\archivos de programa\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
- c:\archivos de programa\mp3 player utilities 3.57\amvtools\srccount.dll {548773BA-874E-4C02-9DC7-B7A096772C7D}
c:\archivos de programa\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}


p.s. still cant find msasvc in system32 nor can I.T. friend of mine.

[mauserme]

Your runscanner log also indicates that msasvc.exe is missing.

What is the current status of the outgoing email problem?  Besides the email, are there other symptoms of infection?

[lad from leigh]

non whatsoever which seems strange to me. i would have thought that, due to the amount of suposedly sent e-mails, both my pc and connection would be noticebly affected in response time which is not the case.
also the activity seems to have receeded slightly in so much as the message that avast generated in  the past about the amount of suspicious mail being sent in a short period of time no longer appears however the mail scanner of avast is up and running as indicated by the icon on the lower status bar of the screen. when i move the mouse cursor over the icon it indicates me the adresses of the emails being sent. periodically there are periods when it stops then starts again. the decrease in activity also coincided with me activating the xp firewall and updates that were pending.
what i am also going to see is if it only starts when i have Internet Explorer open or if merely having the p.c. switched on (and the cable connection open) it starts to do the same. a freind of mine and i have been monitoring the memory usage and activated programmes when it starts up and there doesnt seem to be anything untoward going on which is very strange but then again i suppose the virus makers have this in mind!!!
any ideas?
thanks.

[mauserme]

If you haven't already fixed the lines DavidR mentioned please do so now.

Open HJT and click to Do a System Scan Only.  When complete place a check next to these lines


O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)


Close all other windows, including your browser, and click Fixed Checked.


Now run ComboFix and post the log it produces, followed by a fresh HJT log.  Please note that if you have an older version of ComboFix on your computer you must delete it and download the latest version.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

[lad from leigh]

right. i´ve done as you instructed and here are the results (i only know how to copy them and paste them here, though it takes up a lot of page).

HJT log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:12:01, on 08/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\VM_STI.EXE
C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\Philips\Philips SPC210NC Webcam\TrayMin210.exe
C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\DAD\Escritorio\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\ARCHIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC210NC Webcam
O4 - HKLM\..\Run: [SsAAD.exe] C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Archivos de programa\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TrayMin210.exe.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\ARCHIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 7636 bytes

........

[lad from leigh]

....
Combofix log:

ComboFix 07-09-08.7 - "DAD" 2007-09-08 13:18:45.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.3082.18.181 [GMT 2:00]
 * Created a new restore point
.
Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\DAD\DATOSD~1\install.dat
C:\DOCUME~1\DAD\ESCRIT~1\internet.lnk


(((((((((((((((((((((((((   Files Created from 2007-08-08 to 2007-09-08  )))))))))))))))))))))))))))))))
.

2007-09-08 13:14   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-09-04 01:13   <DIR>   d--------   C:\DOCUME~1\DAD\DATOSD~1\SUPERAntiSpyware.com
2007-09-04 01:13   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATOSD~1\SUPERAntiSpyware.com
2007-09-04 01:13   <DIR>   d--------   C:\Archivos de programa\SUPERAntiSpyware
2007-09-04 01:13   <DIR>   d--------   C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2007-09-01 10:07   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-01 10:13   ---------   d--------   C:\Archivos de programa\eMule
2007-07-30 19:19   92504   --a------   C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19   549720   --a------   C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19   53080   --a------   C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19   43352   --a------   C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19   325976   --a------   C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19   203096   --a------   C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19   1712984   --a------   C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18   33624   --a------   C:\WINDOWS\system32\wups.dll
2007-07-28 00:07   783224   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-07-28 00:02   94416   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 00:02   92848   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 00:00   23152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 23:59   42912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 23:58   26624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 23:57   95608   --a------   C:\WINDOWS\system32\AVASTSS.scr
2007-07-23 19:36   ---------   d--------   C:\DOCUME~1\DAD\DATOSD~1\Skype
2007-06-26 08:09   1104896   --a------   C:\WINDOWS\system32\msxml3.dll
2007-06-20 22:10   151552   ---------   C:\WINDOWS\system32\pxwma.dll
2007-06-20 22:10   108544   ---------   C:\WINDOWS\system32\pxcpyi64.exe
2007-06-20 22:10   104960   ---------   C:\WINDOWS\system32\pxinsi64.exe
2007-06-19 15:30   282112   --a------   C:\WINDOWS\system32\gdi32.dll
2007-06-13 15:22   1035776   --a------   C:\WINDOWS\explorer.exe
2004-11-30 15:23   40960   -r-------   C:\Archivos de programa\delete.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 08:01 C:\WINDOWS\sm56hlpr.exe]
"mmtask"="C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-12-01 14:49]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 12:48 C:\WINDOWS\SOUNDMAN.EXE]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" []
"ISUSPM Startup"="C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 11:41]
"ISUSScheduler"="C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" [2004-04-13 05:07]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"WinampAgent"="C:\Archivos de programa\Winamp\winampa.exe" [2005-10-27 01:01]
"avast!"="C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 00:03]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-06-09 15:37]
"SsAAD.exe"="C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 19:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:42]
"RealPlayer"="C:\Archivos de programa\Real\RealPlayer\realplay.exe" [2006-06-02 18:20]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 18:35]
"SUPERAntiSpyware"="C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ALLUSE~1\MENINI~1\PROGRA~1\Inicio\
Inicio r pido de Adobe Reader.lnk - C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
TrayMin210.exe.lnk - C:\Archivos de programa\Philips\Philips SPC210NC Webcam\TrayMin210.exe [2007-04-20 21:52:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll

S2 MsaSvc;Microsoft authenticate service;C:\WINDOWS\system32\msasvc.exe
S3 admjoy;Aureal Game Port Enumerator;C:\WINDOWS\system32\DRIVERS\admjoy.sys
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 13:20:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-08 13:21:46
C:\ComboFix-quarantined-files.txt ... 2007-09-08 13:21
.
   --- E O F ---


many thanks once again!

[lad from leigh]

p.s. is it normal that when i downloaded combofix, my avast antivirus alerted me of a trojan virus and there was an attempt to change the search criteria of my google search bar? i moved the trojan to the avast virus chest.