avast mail scanner [svchost.exe-.64-120-147-85.hostnoc.net]

[zxj24]

Hello,

I am new to avast I had AVG and today my PC got infected with a bunch of trojans. I tried to clean it with AVG but seemed like no end. These bustards were recreating. I removed AVG and installed avast. I updated definition and scheduled run before a boot up. Avast found a bunch of virues and I either deleted them or moved some to chest. here is what I still have in chest Win32:Cutwail-Y in a file agp440.sys and Win32:Trojan-gen in a file hostmon.exe. I dont recall what were the other bustards. I run a sniffer and I noticed I had a huge network traffic to unknow IP addresses. I looked at the packets and I had lots of smtp messages from random mail servers saying that my IP is flooding their servers with messages.

Anyways the PC seems to be working fine now and seems like my PC is not sending any mere messages. I dont see any network traffic any more but I got this little mail scanner icon in my try.
the mail scanner says [svchost.exe-.64-120-147-85.hostnoc.net]. I am afraid I may still have some sntp engine running and trying to send some junk from my PC but the mail scanner blocks it from doing so.

Anyone can help how to stop the smtp engine?

In case it would make any sense here is a hijackthis file from my PC. I guess no hijackthis file due to too many characters for this post

[CharleyO]

***

Welcome to the forums, zxj24.   

You can add the HJT log to another post as an attachment or post parts of the log over more than one post using copy & paste.

Post the log results using the "copy & paste" method. It will probably take more than one post to be able to get the complete log posted.

OR, you can post it as an attachment to your post by clicking on "Additional Options..." below left of the posting box. 

When you post the log, be sure to include the complete log ... header and ending.
Someone will review your log and then offer help.


***

[polonus]

Cześć zxj24.

I do not know if you have two resident av solutions running on your machine, that is bad because they are going to find each other signatures (like two dogs fighting in stead of guarding your home). So you either have one resident av solution installed like avast (uninstall the other) and do a boot scan with that.
By the way after that scan give me your HijackThis log as an attached txt file: (See under additional options where it says Attach), then I will make an analysis for you. Wszystko będzie dobrze, nie panikuj!

pozdrawiam,

polonus

[zxj24]

All rights thanks for your replies. Just to remind I did a boot up scan and got rid of some of these. so here i am looking for the attach icon and cannot find it. there is some icon which looks like attachment but it is grayed out. any ideas?

[zxj24]

what a dummy. i found it. so here you go

[Jtaylor83]

You got this from ParetoLogic. A company with a very dark past.


O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

Remove it with Revo Uninstaller.

I suggest you use MBAM.

[polonus]

Cześć zxj24.

I also would like to fix this using HJT:
O20 - AppInit_DLLs: C:\Windows\system32\rdolib.dll
- Usualy created by unsafe process.
- Registered as a Dynamic Link Library File.
- Usualy have random filename and refers to many versions of a dynamic link library.
- Can be injected/attached to the legitimate Windows process such as explorer.exe or other.
This is an information stealer also known as keylogger Trojan-robal Nuklus
http://www.threatexpert.com/report.aspx?md5=b65cbfbc73561e03b34fa939db567e55

This was a valid log analysis, did you follow it up?
http://www.security-forums.com/viewtopic.php?t=58559&sid=f7507a3622600dda24cf6cefee2eb998

polonus (malware fighter)

[Omid Farhang]

Depending on your HijackThis Log:

Your Hosts File has something not right, So:
Download and install HostsMan.
after install run it, click on "update Hosts", choose "MVPS Hosts" and in below options choose "Overwrite Current" hosts.
this step would immunize your Hosts File and would prevent any internet traffic to malware sites and also would fix Windows Hosts File if it has been HiJacked by malwares.

Yet, some parts of AVG is running in your computer:
Download and run AVG Remover 32Bit or AVG Remover 64Bit.

______________
Some additional options to make sure your computer is running healthy:
Download, install and update these programs (just use Offline update installer if you cannot use Live Update to update your programs):

Program	Download	Offline Updater
Malwarebytes Antimalware	Download	Updater
SUPERAntiSpyware	Download	Updater

scan your computer using them and let them remove everything they found.


also, to try another antivirus engine, you can try:
The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available. You can download it from Here. You can learn how to use it from Here.
also, if you want to burn that disc yourself with your own burning tool (Such as Nero or…), you can download the Image File (.iso) from Here.
After burn it to disc, use it to boot your computer and do a full scan and remove everything it find.

[polonus]

Hi Omid Farhang,

Thank you for this so-called "quick and dirty" on the major issues here, it might be just the thing his machine needs at the moment to again start to run smoothly.
@ zxj24 Just follow all the advice in this thread,

Damian