Content Top
DAL Computer Help » Internet Security Help » Spyware, Adware, Viruses and HijackThis Logs » Suspicious AutoSMTP Activity

Recommended Fix

Click here to fix Windows Errors and Optimize Windows Performance

Need Computer Help?
Register Now for FREE

Suspicious AutoSMTP Activity

Reply
Thread Tools
Spyware, Adware, Viruses and HijackThis Logs
  #1 (permalink)  
Old 24-11-2005, 06:00 PM
Newbie
D-A-L Newbie
  
Join Date: Nov 2005
Posts: 7
Zevon Is a beginner here at D-A-L
HighjackThis Log + Suspicious AutoPOP3 Activity
This has been going on for quite sometime. Here are my logs from AVG Free and a HijackThis Scan

I'm also running Azureus and the process causing all the activity in my AVG Log is javaw.exe also. Sample...

22.11.2005 18:07:58.359 [9e0] AutoPOP3(10110): Connection from process 468
22.11.2005 18:07:58.359 [9e0] AutoPOP3(10110): Connection from 127.0.0.1:1672
22.11.2005 18:07:58.359 [9e0] AutoPOP3(10110): Will connect to 80.195.137.46:110
22.11.2005 18:07:58.375 [a2c] AutoPOP3(10110): Client connected
22.11.2005 18:07:58.375 OpenInternet = 0
22.11.2005 18:07:58.375 AddTrayIcon()
22.11.2005 18:09:31.781 [a2c] AutoPOP3(10110): Cannot connect to 80-195-137-46.cable.ubr05.uddi.blueyonder.co.uk:110
22.11.2005 18:09:31.781 [a2c] AutoPOP3(10110): Connect: The operation completed successfully. (0)
22.11.2005 18:09:31.781 [a2c] AutoPOP3(10110): PROXY:S:-ERR AVG POP3 Proxy Server: Cannot connect to the mail server!
22.11.2005 18:09:31.781 CloseInternet = 1
22.11.2005 18:09:31.781 RemoveTrayIcon()
22.11.2005 18:09:31.796 [a2c] AutoPOP3(10110): Client disconnected


I turned off Azureus and I didn't see anything. WHat could be causing this? By the way. I use Thunderbird right now and when this is happening with the AutoPoP3 its not even on. Kind of creepy. No AntiVirus , Trojan, Spyware, Rootkit Scanner has found anything but a tracking cooking and some false positives.

MOre log file...
18.11.2005 17:54:41 Starting the main loop
18.11.2005 17:54:41 Redirector version 70004
18.11.2005 17:54:41 [9e0] AutoPOP3(10110): Starting server
18.11.2005 17:54:41 [9e4] AutoSMTP(10025): Starting server
18.11.2005 17:54:41 Queue processing started
18.11.2005 18:54:25 [9e0] AutoPOP3(10110): Connection from process 2056
18.11.2005 18:54:25 [9e0] AutoPOP3(10110): Connection from 127.0.0.1:2418
18.11.2005 18:54:25 [f14] AutoPOP3(10110): Client connected
18.11.2005 1821 [f14] AutoPOP3(10110): Cannot connect to 3E6B67E5.rev.stofanet.dk:110
18.11.2005 1821 [f14] AutoPOP3(10110): Connect: The operation completed successfully. (0)
18.11.2005 1821 [f14] AutoPOP3(10110): Client disconnected
18.11.2005 23:31:14 [9e0] AutoPOP3(10110): Connection from process 2056
18.11.2005 23:31:14 [9e0] AutoPOP3(10110): Connection from 127.0.0.1:2652
18.11.2005 23:31:14 [4bc] AutoPOP3(10110): Client connected
18.11.2005 23:33:39 [4bc] AutoPOP3(10110): Cannot connect to 3E6B67E5.rev.stofanet.dk:110
18.11.2005 23:33:39 [4bc] AutoPOP3(10110): Connect: The operation completed successfully. (0)
18.11.2005 23:33:39 [4bc] AutoPOP3(10110): Client disconnected
19.11.2005 01:41:29 [9e4] AutoSMTP(10025): Connection from process 2056
19.11.2005 01:41:29 [9e4] AutoSMTP(10025): Connection from 127.0.0.1:4607
19.11.2005 01:41:29 [9a8] AutoSMTP(10025): Client connected
19.11.2005 01:41:29 [9a8] AutoSMTP(10025): Client closed connection
19.11.2005 01:41:29 [9a8] AutoSMTP(10025): Client disconnected
19.11.2005 02:37:06 [9e4] AutoSMTP(10025): Connection from process 2056
19.11.2005 02:37:06 [9e4] AutoSMTP(10025): Connection from 127.0.0.1:1506
19.11.2005 02:37:06 [4bc] AutoSMTP(10025): Client connected
19.11.2005 02:37:06 [4bc] AutoSMTP(10025): Client closed connection
19.11.2005 02:37:06 [4bc] AutoSMTP(10025): Client disconnected
19.11.2005 13:05:01 [9e0] AutoPOP3(10110): Connection from process 2056
19.11.2005 13:05:01 [9e0] AutoPOP3(10110): Connection from 127.0.0.1:2907
19.11.2005 13:05:01 [f3c] AutoPOP3(10110): Client connected
19.11.2005 13:08:02 [f3c] AutoPOP3(10110): Cannot connect to p54BD2CC2.dip0.t-ipconnect.de:110
19.11.2005 13:08:02 [f3c] AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)
19.11.2005 13:08:02 [f3c] AutoPOP3(10110): Client disconnected

Here is a fresh HijackThis Scan


Logfile of HijackThis v1.99.1
Scan saved at 8:59:23 AM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Sygate\smc.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
F:\PROGRA~1\Grisoft\avgamsvr.exe
F:\PROGRA~1\Grisoft\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
F:\Program Files\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
F:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
F:\PROGRA~1\Grisoft\avgcc.exe
F:\PROGRA~1\Grisoft\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
F:\program files\activesync\WCESCOMM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\ATI Tool\ATITool\ATITool.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\Acrobat.exe
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\Adobelm_Cleanup .0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\Adobelm_Cleanup .0001
F:\Program Files\PeerGuardian 2.b\PeerGuardian2\pg2.exe
C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
F:\Downloadz II\HIjackThis 9.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozillazine.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozillazine.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0 Pro\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\PROGRA~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Acronis True Image Monitor] "F:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\avgemc.exe
O4 - HKLM\..\Run: [SmcService] F:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CTDVDDet] F:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\program files\activesync\WCESCOMM.EXE"
O4 - Startup: ATITool.lnk = F:\Program Files\ATI Tool\ATITool\ATITool.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - f:\program files\activesync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\program files\activesync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\program files\activesync\INETREPL.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - F:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - F:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - F:\Program Files\Sygate\smc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Program Files\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe



I've looked on the AVG Free Forum and I see this activity in a number of threads. I've even seen on thread on this forum with some of the same activity in the logs.

Thanks for your help.
Last edited by Zevon; 25-11-2005 at 04:19 AM. Reason: More Details in Title
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 25-11-2005, 06:11 PM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,520
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: Suspicious AutoSMTP Activity
Hi,

Let's start off by doing this:


Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.

4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.


5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.


Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 25-11-2005, 07:32 PM
Newbie
D-A-L Newbie
  
Join Date: Nov 2005
Posts: 7
Zevon Is a beginner here at D-A-L
Re: Suspicious AutoSMTP Activity
Thank you Neal!

I've got to do a few things this afternoon but will get you some new logs this evening.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 25-11-2005, 09:09 PM
Newbie
D-A-L Newbie
  
Join Date: Nov 2005
Posts: 7
Zevon Is a beginner here at D-A-L
Re: Suspicious AutoSMTP Activity
Turns out I had some extra time. Here are both logs.

Logfile of HijackThis v1.99.1
Scan saved at 12:02:40 PM, on 11/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Sygate\smc.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
F:\PROGRA~1\Grisoft\avgamsvr.exe
F:\PROGRA~1\Grisoft\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
F:\Program Files\security suite\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
F:\Program Files\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
F:\PROGRA~1\Grisoft\avgcc.exe
F:\PROGRA~1\Grisoft\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
F:\program files\activesync\WCESCOMM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\ATI Tool\ATITool\ATITool.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\PeerGuardian 2.b\PeerGuardian2\pg2.exe
F:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe
F:\Downloadz II\HIjackThis 9.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozillazine.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozillazine.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0 Pro\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - F:\PROGRA~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Acronis True Image Monitor] "F:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\avgemc.exe
O4 - HKLM\..\Run: [SmcService] F:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CTDVDDet] F:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\program files\activesync\WCESCOMM.EXE"
O4 - Startup: ATITool.lnk = F:\Program Files\ATI Tool\ATITool\ATITool.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - f:\program files\activesync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\program files\activesync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - f:\program files\activesync\INETREPL.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - F:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - F:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - F:\Program Files\Sygate\smc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Program Files\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe




I can't post the Ewido Log. Its too long. I'm attaching it.
Attached Files
File Type: zip Scan report_20051125.txt.zip (5.5 KB, 1 views)
Last edited by Zevon; 25-11-2005 at 09:14 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 26-11-2005, 01:04 AM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,520
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: Suspicious AutoSMTP Activity
Ewido found mostly cookies but did find a few bad guys.

Let's dig a little bit deeper but this may not be virus related.


Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.


* Download finditnt2000xp.zip
* Unzip the contents of finditnt2000xp.zip to a convenient location.
* Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
* A command prompt will open and it will search your computer for malicious files.
* Once it has finished a Notepad window will pop up with output.txt.
* Copy the entire contents of output.txt into your next post.
* DON'T delete/modify any files yet

Thanks
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 26-11-2005, 06:20 AM
Newbie
D-A-L Newbie
  
Join Date: Nov 2005
Posts: 7
Zevon Is a beginner here at D-A-L
Re: Suspicious AutoSMTP Activity
Thanks for looking into this. Here is the latest AVG mail log. Everytime I see this happen its like a new address for the connection.

25.11.2005 14:51:16.437 [8a8] AutoPOP3(10110): Starting server
25.11.2005 14:51:16.437 [8ac] AutoSMTP(10025): Starting server
25.11.2005 14:51:16.437 Queue processing started
25.11.2005 14:51:16.734 Online connection detected
25.11.2005 16:24:08.453 [8a8] AutoPOP3(10110): Connection from process 764
25.11.2005 16:24:08.453 [8a8] AutoPOP3(10110): Connection from 127.0.0.1:3383
25.11.2005 16:24:08.453 [8a8] AutoPOP3(10110): Will connect to 213.208.112.223:110
25.11.2005 16:24:08.453 [7dc] AutoPOP3(10110): Client connected
25.11.2005 16:24:08.453 OpenInternet = 0
25.11.2005 16:24:08.453 AddTrayIcon()
25.11.2005 16:24:30.500 [7dc] AutoPOP3(10110): Cannot connect to ptrewin.gotadsl.co.uk:110
25.11.2005 16:24:30.500 [7dc] AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)
25.11.2005 16:24:30.500 [7dc] AutoPOP3(10110): PROXY:S:-ERR AVG POP3 Proxy Server: Cannot connect to the mail server!
25.11.2005 16:24:30.500 CloseInternet = 1
25.11.2005 16:24:30.500 RemoveTrayIcon()
25.11.2005 16:24:30.734 [7dc] AutoPOP3(10110): Client disconnected
25.11.2005 19:16:08.781 [8a8] AutoPOP3(10110): Connection from process 764
25.11.2005 19:16:08.781 [8a8] AutoPOP3(10110): Connection from 127.0.0.1:3272
25.11.2005 19:16:08.781 [8a8] AutoPOP3(10110): Will connect to 213.208.112.223:110
25.11.2005 19:16:08.781 [b24] AutoPOP3(10110): Client connected
25.11.2005 19:16:08.781 OpenInternet = 0
25.11.2005 19:16:08.781 AddTrayIcon()
25.11.2005 19:16:29.750 [b24] AutoPOP3(10110): Cannot connect to ptrewin.gotadsl.co.uk:110
25.11.2005 19:16:29.750 [b24] AutoPOP3(10110): Connect: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)
25.11.2005 19:16:29.750 [b24] AutoPOP3(10110): PROXY:S:-ERR AVG POP3 Proxy Server: Cannot connect to the mail server!
25.11.2005 19:16:29.750 CloseInternet = 1
25.11.2005 19:16:29.750 RemoveTrayIcon()
25.11.2005 19:16:29.968 [b24] AutoPOP3(10110): Client disconnected
Attached Files
File Type: zip output.zip (2.1 KB, 1 views)
File Type: txt Startup Programs 2005-11-25 20.52.27.txt (18.1 KB, 2 views)
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 26-11-2005, 10:39 PM
Neal's Avatar
Senior Member
  
Join Date: Sep 2005
Posts: 5,520
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: Suspicious AutoSMTP Activity
Both logs are clean.

As far as that AVG thing I have no idea.

Maybe uninstall and re-install or look at your settings, I don't know.

You can do some online scans if you want but maybe not virus related.


Internet Explorer required
Run these two online virus scanners (Panda Activescan) following these instructions below:
http://www.pandasoftware.com/product..._principal.htm


Internet Explorer required
Also this excellent(BitDefender) scanner:http://www.bitdefender.com/scan8/ie.html


These scans will take more than an hour to complete, so make sure you have time to let them run thru. Save the Panda scan log and the BitDefender log and post them back here please with a new Hijackthis log.

Thanks.
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Two suspicious files that came up during scan Black Milk Spyware, Adware, Viruses and HijackThis Logs 1 18-08-2008 11:37 PM
IO 7 - suspicious default web page (RESOLVED) rpleach Spyware, Adware, Viruses and HijackThis Logs 8 17-07-2007 07:31 PM
A Suspicious Script samir_99 Desktop / Server Applications 1 08-03-2007 01:52 AM
Can you please look over my log for anything suspicious(RESOLVED)? teacher5 Spyware, Adware, Viruses and HijackThis Logs 7 29-05-2006 02:12 AM
Suspicious Programs lisacas5 Spyware, Adware, Viruses and HijackThis Logs 5 10-01-2006 02:01 PM


All times are GMT +1. The time now is 06:48 AM.
Member Login
Remember me ?
Forgot password?
Ads

Want to Advertise? Click Here
Help Categories
Desktop / Server Apps
Drivers
Firewalls and Networks
Games
General Internet Issues
Hardware
Linux
MAC OS
Modding / Overclocking
Search Engines
Spyware and Security
Web Development
Windows 2000
Windows 7
Windows 98
Windows ME
Windows Vista
Windows XP

Computer Repair Companies
Bottom Corner Bottom Nav