while im online the avg email scanner keeps poping up sending emails to people like someone@bluewin.ch
why is it doing this?

It sounds like someone is using your computer to send spam

Run Highjackthis and post your log file to this web site http://www.hijackthis.de./
For an instant automated response

If any advice helps, please post back as it might help others.

AVG is not sending the message out, it's
merely scanning the outgoing message, as
smiff suggests you probably have cooties on
your computer spamming or 'calling home'.

Run a malware fixer/finder such as Ad-Aware (free). Update it before running.

Update and run your virus checker too.

It might reduce the length of you HijackThis Log even if it doesn't cure the problem (which it might).

Derek.W

Hi Im having the same problem, email scanner is attempting to send emailsand ip addresses. The only to stop it is to disable plug in? Please email me with any help to crwmlw@comcast.net

Chuck

We normally stick to the forum unless there is some special reason.

First follow the response I gave at #3.

Next download, update and run this trojan finder/fixer:
A2FREE - DOWN THE PAGE

After this you can get HijackThis and Copy/Paste your log here:
HIJACK THIS AUTO-ANALYZER

If you are still in trouble or need further help, make a "New" post by going to the Security & Virus forum top left. Tell them what you've tried as well as the symptoms.

When you have sorted out all your problems download SpywareBlaster. This doesn't find/fix anything but it puts kill bits in the registry to prevent malware ever taking hold. It does not run in the background or use resources. It only runs when you are updating it.

Derek.W

Quick question how do I use the Hijack this? I clicked analyze but mothing happened. Chuck

How do I use the Hijack this?

Err...did you give it anything to analyze?

You run the Hijack scan, hit the button that says make a log. This brings it up in NotePad. You highlight all of it by swiping with the mouse then select "Copy". When you get the analyze empty box you do "Paste". Press the Analyze button on there and wait (scroll the screen up when it has finished).

If it doesn't run after that lot then maybe you have IE security set to max rather than default.

Derek.W

Hi, can you tell me how to use the Hikack this? I clicked analyze and nothing happened?

Err...once is enough. See my post number 8.

Derek.W

Ok I dont see a button that says make a log. The only thing I see is a blank box that says "You can paste a logfile in this textbox", then under the box it says "or you can choose a logfile from your computer"
then a blank line and next to it says browse.

Logfile of HijackThis v1.99.0
Scan saved at 6:52:22 PM, on 2/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hicom.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis_199[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://mssearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mssearch4u.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotbot.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mssearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://mssearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotbot.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,32
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101297521656
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://download.35mb.com/images/dlapplet.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.p--syharem.com/stream/mmp.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O21 - SSODL: eplrr - {82A0815D-595A-4B12-8006-EDBBE6987364} - C:\WINDOWS\system32\eplrr3.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Sub Connections - Unknown - C:\WINDOWS\system32\shmyga.exe (file missing)
O23 - Service: Working Network Connections - Unknown - C:\WINDOWS\system32\hicom.exe

Did I do it right? Now Im lost? What do I do from here?Thanks for your patience and help. I really appreciate it.

Well, you've got half of it right. You've copied your log fine, whatever you di. The idea was to paste it into the empty white box on the analyzer (not on here). Try it.

These logs can take ages to wade through (the last one took me some hours) so that is why they discourage pasting them "on here" unless someone asks you to.

I might have a quick look as yours is fairly short but I would try that analyzer because it is useful to know about. If there's anything bad it should show, you just have to be careful about letting HijackThis remove unknowns (they could be important). Google often tracks them down.

Derek.W

Ok did that , I copied it in the box and analyzed it. Few unknowns, few Nasty and few possibly nasty with a question mark. Which ones should I delete?

Anyway I can send you the log?

It's hard to know what to tell you since instructions seem to roll right off.

I'm not insensitive, I just don't care.

Report Offensive Follow Up For Removal

I will try to help as far as time permits but there are three general points I must make.

Firstly, I realise you just Googled into this post but one of many reasons you needed to raise your own new post (as I suggested) is that we get your system details when you do so. You are on W95/98 forum with XP machine. Fortunately it doesn't make too much odds to this query but I didn't realise this at first.

Secondly you should run programs like "Ad-Aware" and/or "SpyBot Search and Destroy" before you even think of HJT logs. In this instance I also suggested A2FREE. You don't say whether you did so or not.

Thirdly we do not normally analyze logs, so hope the user can do so. The auto analyzer is suggested but folks sometimes come back with the odd query if necessary.

So OK here's what I made of the log but you must do the donkey work. You should run the HijackThis program and definitely ask it to remove ALL entries with these two showing:

mssearch4u.com (it's spyware)

spoolsrv32.exe (it's a virus)

They are the most important ones. You can also ask HJT to remove the 023 entry which mentions shymyga.exe because the file is missing anyway so it is quite pointless.

www.hotbot.com is a website that you are directed to from SPAM email. It is not for me to question why you went there (if you did) but suffice to say they should not therefore be trusted with a barge pole. My advice is to let HJT remove all entries mentioning this website.

A few general things:
I have reason to believe you "might" have SpyDoctor installed. If so uninstall it because it tells you about nasties you "haven't got" in order to persuade you to buy it. Not to be trusted.

Check any anti-spyware programs you download with this website:
ROGUE ANTI-SPYWARE PRODUCTS

You have your XP firewall turned off. Once you have got HJT to remove the items suggested "put your firewall back on again".

Download the latest version of IE (on its own). Then go back and make sure you have all Windows security updates.

Have on board the anti-malware/trojan programs I've suggested in this posting.

When you are certain your machine is safe then download SpywareBlaster. This does not run in the background it sets the registry to "keep malware out" (rather than fixing it afterwards).

I am prepared to let you post your log on here once more but only after you consider that you have dealt with the items I suggested. The reason for this is because of the time it takes to wade through them. Take a look at the time of your last post then the time on this one. I have been working on your log for the whole of that period (and yours was an easy one).

Hope this helps and you will now understand the principles behind HJT and the auto-analysis you ran. The idea is to deal with this yourself. Google can often unearth what the questionable ones are about. Sadly the net is now littered with these logs so sometimes it is best to put -hijackthis after your search string (otherwise all you get is logs). Google "groups" should also be tried. Putting file names into the search line is often the best way.

Good luck.

Derek.W

Okthanksfor all the help. I deleted the ones you said and now for some reason when the computer starts i get an error message that says searching for hicom.exe click ok and I do then it goesaway but when i restart it comes back. any ideas?

OK, there is a reference to this file still in the machine. This is either in the registry or in one of the two files system.ini or win.ini

Just to safeguard yourself in case you remove the wrong thing, make a folder called dump straight off the C drive. Copy System.ini and Win.ini into it - they live in c:\windows. That way you can always copy your old files back again if you goof something.

It is most likely to be in system.ini so type system.ini in the Run box (hit Return key).

This will pop up in NotePad. Look for a line which mentions hicom.exe (you may care to use Search/Find).
If you find a line which contains it, delete that complete line and ensure it leaves no gap (hit delete key once more with the cursor on that line). Save the file when finished.

If you can't find it there, exit without saving and try the same with win.ini

When you have done and you have checked all is OK by rebooting (whether you find hicom.exe or not) you can safely delete the folder called dump.

If you can't find hicom.exe in either of these files then we will need to take it out of the registry, but we'll cross that bridge later if we should need to.

Derek.W

Ok that file isnt in system or win ini. Also I tried everything stated above and that AVG keeps attempting to send emails and ip addresses, Im starting to lose my mind :-) Thanks for all your help.

Sorry I am going to have to vanish for a some time.

You could type regedit in the Run box then do Edit/Find searching for hicom.exe

Unless you are happy in the registry you will probably need help otherwise you could make things worse. You delete the entry but have to be quite certain you get it right.

I doubt this hicom thing is anything to do with your original post (just the remnant of a nasty which has now gone) and it seems there is some other nasty or nasties still in there.

Makes sure you've run Ad-Aware and that A2FREE I mentioned. Run your log on the analyzer and make sure it's OK now.

Not sure when I can get back, so you would probably better off reposting this as a new post in the S&V forum. Sorry I can't help further at this time but I've a few other non-computer things on my plate for a while.

Derek.W

Chuck,
Not to butt in here especially since it sounds like you have already spent time and had some success with the hijackthis utility. However, if it were me - it sounds like you definitely got hit with some nasty spyware. These days spyware and computer viruses are about the same thing.

At this point, you might consider just spending a saturday wiping your hard drive clean and installing Windows from scratch. It's really not very difficult, and a good thing to learn how to do anyway. You will probably find that your computer runs better and faster with a fresh install as well.

2 things to keep in mind:

1- obviously you have to save everything on your PC that you want to keep (hopefully by burning to CD). Like pictures, password or account info that might be saved with certain programs, programs, saved email messages, etc. You want to be very careful that you don't miss anything...

2- assuming you are using windows 2000 or XP, if you have a somewhat fancy PC it is possible that you will need a driver disk (floppy) for a piece of hardware in your computer such as a hard drive controller, or another type of controller on your motherboard. This would be a driver that is not already on the Windows disk, and something that Windows needs to have before it can go ahead and install the operating system. At the very beginning of the installtion process you hit the F5 key when it says "Hit F5 to install a 3rd party driver", and insert the floppy. In most cases, if you have a "typical" PC made by Dell, or HP, you don't have to worry about this part. All you do is install Windows and then after your done update the individual drivers for your video card, sound card, etc. by downloading the latest versions from the internet.

Anyway just a suggestion - if I caught a spyware that was sending emails by itself from my computer, that's what I would do.

Reformat is obviously a good "cure-all" to any software problem. Fine if you have all your CD's and drivers to hand (modem, sound, display etc) and haven't got too much of your own stuff that you want to back up. If you have got stacks of programs and have made many changes it could take some time.

It is an option (if the problem is still there) but don't be fooled into thinking it will all be sorted in an hour or so. You'll have basic Windows back quite quickly but that is all. In my case I would then have to spend "weeks" putting things back the way I wanted them (rather than the way MS think I should have them).

In this instance all we "seem" to have left is a reference to a file that has been removed. If this is the case then reformat sounds like taking a sledgehammer to crack a peanut.

This is however a forum and we are all entitled to our own opinions.

Derek.W