Author Topic: Outpout mail scanning historic  (Read 10627 times)

0 Members and 1 Guest are viewing this topic.

Offline ermite67

  • Jr. Member
  • **
  • Posts: 23
Outpout mail scanning historic
« on: November 16, 2007, 08:57:21 AM »
Hi,

Few week ago, some spyware send mails from my computer and just i see "scanning output mail" (in french : Scanne du mail sortant...), and many différents mail adress.

Is it possible to keep historic of these outpout mails scanned ?? And from whish program it is send ?

Thanks for your help

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Outpout mail scanning historic
« Reply #1 on: November 16, 2007, 02:47:33 PM »
HI

What firewall are you using?

You could check your firewall logs and see if there is an unknown program connecting to the internet.

You can post a hijackthis log here and we can try to see what is running.

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Offline ermite67

  • Jr. Member
  • **
  • Posts: 23
Re: Outpout mail scanning historic
« Reply #2 on: November 16, 2007, 03:42:39 PM »
Hi dear oldman,
Thank you for your reply.
Firewall : The default windows XP firewall is active.
And Avast! Isnt a firewall too ???

Here is the Hijackthis result :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:24:28, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ScanWizard 5\ScannerFinder.exe
C:\MEMTOOLS\START\MEMFILE2000.EXE
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
D:\Pierre\Progs\Ethereal\dumpcap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26F34125-D06E-4434-8E57-EB7D9BDEE694} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: MEMFILE2000.lnk = C:\MEMTOOLS\START\MEMFILE2000.EXE
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O4 - Global Startup: Rappels du Calendrier Microsoft Works.lnk = ?
O4 - Global Startup: Scanner Finder.lnk = C:\Program Files\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179349491656
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/importer/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{1400900D-E9E6-41CF-B34C-5DB1E46CE723}: NameServer = 195.238.2.22 195.238.2.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{1400900D-E9E6-41CF-B34C-5DB1E46CE723}: NameServer = 195.238.2.22 195.238.2.21
O20 - Winlogon Notify: °À - °À (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 7730 bytes


Great THANKS for the next step...

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Outpout mail scanning historic
« Reply #3 on: November 16, 2007, 05:56:09 PM »
WOW this is old C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://www.java.com/en/download/index.jsp
Or JRE version 6 update 3 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

You don't appear to have an active firewall, what is your firewall ?

Suspect
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info - Do you know what this is did you set it up, if not FIX.

O20 - Winlogon Notify: °À - °À (file missing)


FIX
O2 - BHO: (no name) - {26F34125-D06E-4434-8E57-EB7D9BDEE694} - C:\WINDOWS\system32\mljjj.dll (file missing) - Check for the presence of this file also
It is associated with winfixer2005 try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php

Is this your ISP, belgacom.be as that is what the IP addresses are in these items ?
O17 - HKLM\System\CCS\Services\Tcpip\..\{1400900D-E9E6-41CF-B34C-5DB1E46CE723}: NameServer = 195.238.2.22 195.238.2.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{1400900D-E9E6-41CF-B34C-5DB1E46CE723}: NameServer = 195.238.2.22 195.238.2.21
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Outpout mail scanning historic
« Reply #4 on: November 16, 2007, 06:18:42 PM »
Fix the lines as DavidR suggests, then do the following

Download  superantispyware

First update SAS Then

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quaranine.

 leave the others unchecked.

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quaretine everthing found . Reboot if asked. You can post the log in your next reply if you wish.


Please post another HJT log with your next reply.

I would also suggest that you download and install comodo firewall from here

http://www.personalfirewall.comodo.com/

a brief setup video can be found here

http://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall/noob_install_video_guide-t4766.0.html

I'll have a look after your next reply and we'll take it from there.  ;D

Offline ermite67

  • Jr. Member
  • **
  • Posts: 23
Re: Outpout mail scanning historic
« Reply #5 on: November 16, 2007, 11:07:24 PM »
Hi DavidR, Hi Oldman,

Great THANKS for your help !

- C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe uninstalled
- R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info - FIXED
- O20 - Winlogon Notify: °À - °À (file missing) - FIXED
- O2 - BHO: (no name) - {26F34125-D06E-4434-8E57-EB7D9BDEE694} - C:\WINDOWS\system32\mljjj.dll (file missing) - FIXED
- Rogueremover installed and nothing found (all right)
- Superantispyware installed and 16 items was found and deleted.

Is this your ISP, belgacom.be as that is what the IP addresses are in these items ?
O17 - HKLM\System\CCS\Services\Tcpip\..\{1400900D-E9E6-41CF-B34C-5DB1E46CE723}: NameServer = 195.238.2.22 195.238.2.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{1400900D-E9E6-41CF-B34C-5DB1E46CE723}: NameServer = 195.238.2.22 195.238.2.21

I DONT NOW


NEW Hijackthis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:03:58, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Messenger\MSMSGS.EXE
D:\Pierre\Progs\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ScanWizard 5\ScannerFinder.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Pierre\Progs\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: MEMFILE2000.lnk = C:\MEMTOOLS\START\MEMFILE2000.EXE
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O4 - Global Startup: Rappels du Calendrier Microsoft Works.lnk = ?
O4 - Global Startup: Scanner Finder.lnk = C:\Program Files\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179349491656
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/importer/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{1400900D-E9E6-41CF-B34C-5DB1E46CE723}: NameServer = 195.238.2.22 195.238.2.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{1400900D-E9E6-41CF-B34C-5DB1E46CE723}: NameServer = 195.238.2.22 195.238.2.21
O20 - Winlogon Notify: !SASWinLogon - D:\Pierre\Progs\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 7078 bytes

I hope that all virus and / or spyware are out now...

THANKS

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Outpout mail scanning historic
« Reply #6 on: November 17, 2007, 12:14:30 AM »
Is your computer still sending mail?

re:belgacom   does this look familar? It's their homepage.(in English)

http://www.belgacom.be/home/en/jsp/dynamic/homepage.jsp

What did SAS find?

Nothing jumps out from the HJT log, if you still are having problems, we can look deeper.

You should really consider a third party firewall, windows does not provide out bound monitoring.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Outpout mail scanning historic
« Reply #7 on: November 17, 2007, 12:22:22 AM »
Considering your email address @ belgacom.net I would say it probably is your ISP, I didn't think to check it before, mainly as I don't display my own email, I assume others will be the same.

Your log looks OK, nothing obvious.

Now you want to get on to a third party firewal to beef up your protection and install the latest JAVA version.

Can you give examples of what SAS found, malware name, file name and location ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline ermite67

  • Jr. Member
  • **
  • Posts: 23
Re: Outpout mail scanning historic
« Reply #8 on: November 17, 2007, 07:10:48 PM »
Hello,

Here is news: I think i have problems again ...
This morning, avast have automatic update make (2 time), and after my computer reboot and i have a black screen on startup to choose a profil... after, fortunately, computer have started normaly, but ...
Problems find by SAS was coockies tracker (adserver, doubleclick, etc...)
Today, SAS found coockies tracker again. Pc tools - spyware doctor too.
My internet provider is effectively BELGACOM.

Now i am installing comodo personal firewall. After i post a new Hijackthis.

Thanks

Offline ermite67

  • Jr. Member
  • **
  • Posts: 23
Re: Outpout mail scanning historic
« Reply #9 on: November 17, 2007, 08:42:28 PM »
Hi,

SAS has detected adware again (not dangerous):
Adware.Tracking Cookie (2 items)
    - Files
        - C:\Documents and Settings\Pierre\Cookies\pierre@adserver.aol(1).txt
        - C:\Documents and Settings\Pierre\Cookies\pierre@xiti(1).txt


Here is the new Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:34:07, on 17/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Pierre\Progs\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
D:\Pierre\Progs\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Pierre\Progs\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ScanWizard 5\ScannerFinder.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Pierre\Progs\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Pierre\Progs\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: MEMFILE2000.lnk = C:\MEMTOOLS\START\MEMFILE2000.EXE
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Rappels du Calendrier Microsoft Works.lnk = ?
O4 - Global Startup: Scanner Finder.lnk = C:\Program Files\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179349491656
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/importer/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{1400900D-E9E6-41CF-B34C-5DB1E46CE723}: NameServer = 195.238.2.22 195.238.2.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{1400900D-E9E6-41CF-B34C-5DB1E46CE723}: NameServer = 195.238.2.22 195.238.2.21
O20 - Winlogon Notify: !SASWinLogon - D:\Pierre\Progs\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Pierre\Progs\Comodo\Firewall\cmdagent.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 7082 bytes


Bye

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Outpout mail scanning historic
« Reply #10 on: November 17, 2007, 08:43:24 PM »
Tracking cookies are a very minor issue, they are text files that should only be available to the sit that you accepted them for. Personally I uncheck the option to even look for tracking cookies in SAS, see image (up to you what you decide).

Many anti-spyware applications make a really big deal out of flagging tracking cookies when any risk is normally related to your browsing history and is a minor privacy, rather than security issue. I'm of the opinion that if they scare you half to death about these minor irritations you feel they are doing a valuable job. SAS is good enough in its own right not to have to make a big deal out of cookies.

So if the only thing you have to wory about are tracking cookies, you have little to worry about.

Edit: I see nothing obvious in your log.
« Last Edit: November 17, 2007, 08:46:37 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Outpout mail scanning historic
« Reply #11 on: November 17, 2007, 08:51:11 PM »
I agree with DavidR about the tracking cookies, they don't really mean a whole lot. The only reason I include them in the scan, is when you quaratine everything found, they are gone. There are other ways of removing them, but if you are doing a scan, why not get rid of them at the same time?

Your HJT log looks fine. If you want to look deeper we can.

Open the Folder Options in the Control Panel.  On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files and hide known file extentions are not checked.  Click OK.




Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
edit to add: are you still having problems with unknown mail being sent?
« Last Edit: November 17, 2007, 08:55:10 PM by oldman »

Offline ermite67

  • Jr. Member
  • **
  • Posts: 23
Re: Outpout mail scanning historic
« Reply #12 on: November 19, 2007, 10:54:23 AM »
Hi DavidR, Hi Oldman,

I think all is right now... Computer is a few faster, and i have not see yet any bad output mail.

Computer is securised with Avast!, SuperAntiSpyware, Spyware Doctor (pc tools) and Commodo Firewall !!!

Here is then dss report :

DSS report in Attach (too long for include in this post...).

For me, for now, all is right.

Great job for you 2, great THANK YOU !


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Outpout mail scanning historic
« Reply #13 on: November 19, 2007, 02:20:33 PM »
Your welcome, I'm just glad that things are (fingers crossed) back to normal.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Outpout mail scanning historic
« Reply #14 on: November 19, 2007, 04:38:42 PM »
Hi

Check these files at www.virustotal.com

C:\WINDOWS\system32\dmxysyyx.dll
 C:\WINDOWS\system32\dmxttwys.dll
 C:\WINDOWS\system32\dmxrrwwy.dll


I couldn't find anything on them. Please post the results.