Spambot sent e-mails from computer

Late yesterday my wife's computer sent e-mails to everyone in her AOL address book. They contained seemingly randomly generated links which redirected to . AVG pops an alert which says AVG Alert "Accessed file is infected"; "Threat was blocked!";
File Name:
Threat Name: Exploit Pharmacy Spam Site (type 1173)

AOL version 9.1 for W2KPro SP3, XP and Vista Revision 4334.5012

I ran a full computer scan using AVG Free and downloaded Trial F-Prot and ran a full scan with that as well. F-Prot found nothing, though there were several files which it said were encrypted and could not be scanned. AVG found 5 cookies, three which were a threat and could not be cleaned, but all were deleted and/or quarantined.

No more spontaneous e-mail has been sent from AOL as of this point, and we only use web-mail for everything else: No Outlook, No Outlook Express. I still do not feel comfortable using this computer until I have some expert help. The hijackthis log is below.

1) I am asking an expert to take a look here and see if anything appears to be wrong.


2) tell me what other steps I might take if HJT shows nothing.

(Negative comments regarding AOL will just waste time. BTW, this is only the 2nd virus/malware she has brought home since 1981, so we have been blessed and vigilant.)

Thanks in advance.

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:33:08 PM, on 9/14/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Mediafour\MacDrive 8\MacDrive8Service.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\AOL\1255161568\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1255161568\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} -

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} -

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program

O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK

Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MacDrive 8 service (MacDrive8Service) - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive

O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program

O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program

O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

End of file - 9192 bytes

Who is Participating?
JonveeConnect With a Mentor Commented:
HiJackThis has been unable to detect the more recent Malwares, and we would recommend Malwarebytes and TDSSKiller.

Meanwhile, while i study your HJT log, please try downloading & updating Malwarebytes anti-Malware, from here:

Run in normal mode.   Initially a "Quick scan" is all that is needed.

When installation has finished, ensure you leave both of these checked:
Update Malwarebytes' Anti-Malware.
Launch Malwarebytes' Anti-Malware.
Click Finish, and MBAM will automatically start.

Tutorial, if required:

The 2nd scanner is obtained here:

Download the file and extract it into a folder
Execute the file TDSSKiller.exe.
Wait for the scan and disinfection process to be over.
Close all programs and press “Y” key to restart your computer.

More detail TDSSKiller tutorial:
PapertripConnect With a Mentor Commented:
Were the mails sent from her actual computer or were the mails just sent to people in her AOL address book through her AOL account?

It is quite possible, and likely, that her account was compromised over the web, not through her computer.  Change the password and you should be fine.
kdouglas10Author Commented:
Papertrip-Thanks for the reply.

Before I accept your answer - since I am a worrier, do you have the expertise to see problems in  the HJT log?

These emails are NOT in her Personal Filing Cabinet (AOL), but of course there are bots which can hide them. I tend to think you have the right answer, but would feel more confident if I knew you were versed in HJT logs and current malware signatures.

Thanks for your help.

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

No sorry I can't help with that part.

Good luck.
kdouglas10Author Commented:
Thanks for your honesty and you response.
Incidently your wife's computer may not necessarily be compromised at this time, but by running the above two scanners we can certainly strengthen the fact that this is so.
Meanwhile you may also like to view these two excellent articles written by the top people around here, rpggamergirl and younghv ...
In the HJT log file there was just one HJT "deactivated" entry that can be fixed, but it's doing no harm if left well alone:
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

IMHO your HJT logfile appears clean, but i still highly recommend that you scan with MBAM and TDSSKiller, as discussed above, just to be prudent.  TDSSKiller is looking for hidden rootkits.

You'll probably need to temporarily disable any resident AV & anti-Malware scanners you may have running, during the above scans.
phototropicConnect With a Mentor Commented:
Your HJT log appears to show that you are running AVG 9 AND F-Prot antivirus AND Microsoft Security Essentials.  All three of these are loading at startup.  You should uninstall two of these: you only want one av program running in real-time.  Having three will cause conflicts and may leave you less protected than having one av would.  

If you plan on continuing with AVG, you should upgrade to the latest version (AVG 2012) which is available here:

Your HJT log shows no obvious sign of infection, but as Jonvee says above, it is not the tool it once was.  

You have both Spybot and Adaware on your computer.  Have you scanned with either of these?

If you run a TDSSKiller and/or Mbam scan, please post the log here for review.

Sorry to jump in...I should have refreshed the page before I posted!!!
@ kdouglas10
About anti-Malware confliction, i agree with phototropic.  
If you do go ahead and remove two of them, my choice would be to keep Microsoft Security Essentials(MSE).
At present it has an excellent record, and appears to use less computer resources than any existing AVG product.

Regarding Spybot and Adaware, and just for the record, IMO the latter app has long since been overtaken by those products listed above.   However, there have been reports that Spybot has sometimes detected Malware that have been missed by other products ...but it still seems MBAM is far superior.
This simply demonstrates that its wise to occasionally run a number of anti-Malware products, but not more than one resident (real time) application.

@ phototropic
No problem, it's good to see you ;)
kdouglas10Author Commented:
WOW - Thanks Jonvee & Phototropic for bringing me up to speed. Last 4 or 5 years, I have not really been involved in things tech (obviously). I appreciate the articles and suggestions. Will disable/uninstall AVG F-Prot and start w/ Jonvee's suggestions interspersed w/ reading. Hope to be back with requested logs before noon.

Re: Spybot and Adaware scans. Spybot came back with all clear, and Adaware picked up 10 Threat Level 3 cookies which were removed.

kdouglas10Author Commented:
ACTIONS starting 9/15 0900 hrs EDT

Uninstalled AVG

Uninstalled F-Prot

HJT entry O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) per Jonvee evidently fixed by AVG uninstall

Disabled Resident (Tea-Timer) Spybot S&D

Disabled System Restore & removed past restore files.

Disabled MSE real-time protection
Noticed Tea-Timer (SBS&D) is back.
Uninstalled Spy-bot Search and Destroy

Installed MBAM per Jonvee
Updated MBAM from v. 7622 -> 7722 current.

MBAM Quick Scan Results show 5 infected items
LOG: ===========Start================
Malwarebytes' Anti-Malware

Database version: 7722

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/15/2011 12:02:59 PM
1_mbam-log-2011-09-15 (12-02-42).txt

Scan type: Quick scan
Objects scanned: 182784
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[I have manually disabled Windows Security Center nag for firewall & AV Products, so not sure if above IS infection, or just notification - expert advice needed.]

Saved log (posted above). Started MBAM Full Scan.

1211 hrs EDT
Reference MBAM's statement:  "Registry Data Items Infected":
The (PUM.Hijack.StartMenu) entry, and the other four similar entries, are almost certainly notifications and not due to infections.

A similar discussion took place here>

Incidently Microsoft's Defender is now contained within MSE.

>Started MBAM Full Scan<        <<Good.
kdouglas10Author Commented:
Jonvee - Results same for MBAM Full Scan as previous quick scan.

Read the post referenced in your last post. DOH! Have been so focused on getting computer back to wife (she has a big meeting imminent & needs 'puter), have not been researching

BTW, other than the use of IE within AOL (which used to be pretty much a rebrand of IE by AOL with some minimal alterations), the default browser on computer is FireFox 6.0.2. Only odd thing I have noticed about the computer (which I am on only when there is a problem, or to clean temp files off the tiny 30GB HD), I have noticed that clicking the X to close FFox, there is a substantial time lag (last time was ~20 secs) before it closes. Trying it just now with stop watch at the ready to get an exact time to close, it is now closing normally (1-2 secs 'til window closed). FF vs IE Mentioned in case it is pertinent since so many tools seem specific to IE, which I quit using ('cept when forced to by certain sites) as soon as Netscape was available. IE version is 8.0.6001.18702; 128-bit Update versions: 0. However, IE, since last upgrade has only been launched w/in AOL. When I launched IE yesterday (to go to from w/in AOL), IE gave me the set-up tutorial for IE8.

One other note re: FF. Also running ghostery to kill many trackers as well as ADBlockPro - just in case those plug-ins could hide any malware.

I have printed out posts and will go back and read other forum postings/articles suggested by you after/while downloading/running Kaspersky's tdsskiller.

In last post you mention "Incidently Microsoft's Defender is now contained within MSE."

Does quote mean uninstall Defender and run only MSE?

Off to Kaspersky...

1350 hrs EDT
kdouglas10Author Commented:

TDSSKiller Scan Completed
Duration: 15secs
Processed: 227 objects
Infection: not found

Do you need to see TDSSKiller Log?

1405 EDT
kdouglas10Author Commented:

OK - Reading the Kaspersky instructions I decided to run TDSSKiller using a couple of switches.

-tdlfs - detect the presence of TDLFS file system which the TDL 3/4 rootkits create ... was negative.

 -sigcheck switch (looking for unsigned files) gives me 8 unsigned files (mostly drivers), but checking Google they "seem" to be Dell supplied files.

2011/09/15 15:04:01.0171 2180      Detected object count: 8
2011/09/15 15:04:01.0171 2180      Actual detected object count: 8
2011/09/15 15:04:16.0515 2180      UnsignedFile.Multi.Generic(APPDRV) - User select action: Skip
2011/09/15 15:04:16.0531 2180      UnsignedFile.Multi.Generic(cercsr6) - User select action: Skip
2011/09/15 15:04:16.0531 2180      UnsignedFile.Multi.Generic(DellBIOS) - User select action: Skip
2011/09/15 15:04:16.0531 2180      UnsignedFile.Multi.Generic(nvport) - User select action: Skip
2011/09/15 15:04:16.0531 2180      UnsignedFile.Multi.Generic(OMCI) - User select action: Skip
2011/09/15 15:04:16.0531 2180      UnsignedFile.Multi.Generic(pfc) - User select action: Skip
2011/09/15 15:04:16.0546 2180      UnsignedFile.Multi.Generic(sanyomdm) - User select action: Skip
2011/09/15 15:04:16.0546 2180      UnsignedFile.Multi.Generic(sanyoser) - User select action: Skip

What now?

I guess you may be at work, since first post was this morning 0240 hrs or so. I will check back here every 1-2 hours. My reading of articles will continue. Thank you.
Dropping by, fleetingly ... thanks for the reports, have quickly read the contents ....

>>Does quote mean uninstall Defender and run only MSE?<<
Yes it does.

>>Do you need to see TDSSKiller Log?<<
No need thanks, you've answered it.

Well, in my opinion the computer is showing no signs of an infection, and can be returned to service.  However, having said that, it would be wise to ask the user to report SPAM, or anything else unusual.   If the problem does return, please comment below and we'll pick up this thread asap to investigate further.  Thanks.
kdouglas10Author Commented:
At this point I assume (particularly after checking on what the PW was) that it was compromised PW. 50 pts to Papertrip for quick response w/ suggestion that I didn't think of; 300 pts to Jonvee for the support I felt I needed when I asked the question, as well as bringing me up to speed w/ current anti-malware methods and tools; 50 pts to phototropic for jumping in w/ offer to help and tip regarding realtime protection and competing AV progs. Competing progs I knew, only left F-Prot installed while waiting for help; competition between MSSEssentials & Spybot Tea-Timer crossed my mind, but I didn't do the research to figure it out. Jonvee's suggestion re: MSDefender & MSSE led me to MS KB where I learned that when user installs MSSE, Defender is (supposed to be) uninstalled in XP & turned off in Vista & Win7. As we know -- supposed to be means your mileage may vary (YMMV).

Thanks to all experts. As an old school guy, I have major difficulty asking for help, but it wasn't too painful 'cause you all are professionals.

I need to spend some time here. Much to learn to stay current. Must admit that when I got the 1st phone call saying wife's computer was spamming I could not even think of the first troubleshooting step. Thank you Jonvee for gently showing the way.

Best to all...

You're very welcome.  Thanks for the illuminating reports throughout, it made the whole task easier.   Good luck.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.