Help - Search - Members - Calendar
Full Version: Please Help Me "Using Cyrus SASL 2.1.13"
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
MAL1K
Oct 1 2005, 06:34 PM
Hi every one.
I am on windows Xp with sp2, and i use AVG Anti Virus, Zone Alarm 5.5 , PeerGuardian 2, eMule, BitComet.
few days before i noticed that my AVG Anti Virus E-Mail Scanner is trying to connect with internet, i was surprised, coz i never use pop3 mail. when i check log file i found these entries

19.9.2005 19:29:08 AVG for E-mail [7.0.321] started
19.9.2005 19:29:10 Using AVG Kernel: 7.0.323 [267.8.8]
19.9.2005 19:29:10 Config: C:\Documents and Settings\Malik\Application Data\AVG7\avgemc.cfg
19.9.2005 19:29:11 Using Cyrus SASL 2.1.13
19.9.2005 19:29:12 Starting the main loop
19.9.2005 19:29:12 Redirector version 70004
19.9.2005 19:29:12 [dc] AutoPOP3(10110): Starting server
19.9.2005 19:29:12 Queue processing started
19.9.2005 19:34:31 AVG for E-mail [7.0.321] started
19.9.2005 19:34:33 Using AVG Kernel: 7.0.323 [267.8.8]
19.9.2005 19:34:33 Config: C:\Documents and Settings\Malik\Application Data\AVG7\avgemc.cfg
19.9.2005 19:34:34 Using Cyrus SASL 2.1.13
19.9.2005 19:34:34 Starting the main loop
19.9.2005 19:34:34 Redirector version 70004
19.9.2005 19:34:35 [6a8] AutoPOP3(10110): Starting server
19.9.2005 19:34:35 Queue processing started
19.9.2005 19:49:42 End of program
19.9.2005 19:49:42 AVG for E-mail ended


I search on net, but cant get any kind of help. Then i downloaded "HijackThis" and scan my pc, and log file is as under

Logfile of HijackThis v1.99.1
Scan saved at 4:28:25 AM, on 9/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

~snip~

Any one can help me please? how can i solve this problem,
i will be very thankful to you guys.
Regards
Malik
Hunter
Oct 1 2005, 09:26 PM
Your highjack log is missing..and I have deleted a duplicate post your made of this in the AVG forum...please post your log.
MAL1K
Oct 2 2005, 08:43 PM
Hi there.
Thanks for the responce, The new log file is as under, Today i install and run "eTrust PestPatrol v5.0" and it deleted few pests, but i think that, the problem is still there
AVG Log File

1.10.2005 11:12:03 AVG for E-mail [7.0.338] started
1.10.2005 11:12:06.047 Using AVG Kernel: 7.0.344 [267.11.9]
1.10.2005 11:12:06.047 Config: C:\Documents and Settings\Malik\Application Data\AVG7\avgemc.cfg
1.10.2005 11:12:06.557 Using Cyrus SASL 2.1.13
1.10.2005 11:12:07.288 Starting the main loop
1.10.2005 11:12:07.288 Redirector version 70004
1.10.2005 11:12:07.369 Queue processing started
1.10.2005 11:12:07.369 [160] AutoPOP3(10110): Starting server
1.10.2005 11:12:07.589 Offline connection detected
1.10.2005 12:46:51 AVG for E-mail [7.0.338] started
1.10.2005 12:46:53.025 Using AVG Kernel: 7.0.344 [267.11.9]
1.10.2005 12:46:53.025 Config: C:\Documents and Settings\Malik\Application Data\AVG7\avgemc.cfg
1.10.2005 12:46:53.726 Using Cyrus SASL 2.1.13
1.10.2005 12:46:54.647 Starting the main loop
1.10.2005 12:46:54.647 Redirector version 70004
1.10.2005 12:46:54.717 Queue processing started
1.10.2005 12:46:54.717 [7d4] AutoPOP3(10110): Starting server
1.10.2005 12:46:55.428 Offline connection detected
1.10.2005 12:57:56 AVG for E-mail [7.0.338] started
1.10.2005 12:57:57.194 Using AVG Kernel: 7.0.344 [267.11.9]
1.10.2005 12:57:57.194 Config: C:\Documents and Settings\Malik\Application Data\AVG7\avgemc.cfg
1.10.2005 12:57:57.324 Using Cyrus SASL 2.1.13
1.10.2005 12:57:57.685 Starting the main loop
1.10.2005 12:57:57.685 Redirector version 70004
1.10.2005 12:57:57.735 [264] AutoPOP3(10110): Starting server
1.10.2005 12:57:57.735 Queue processing started
1.10.2005 12:57:58.095 Offline connection detected
1.10.2005 13:15:13.114 Online connection detected
1.10.2005 17:58:14.512 Offline connection detected
1.10.2005 17:58:51.946 Online connection detected
1.10.2005 17:58:52.196 Offline connection detected
1.10.2005 22:41:56 AVG for E-mail [7.0.338] started
1.10.2005 22:41:56.743 Using AVG Kernel: 7.0.344 [267.11.9]
1.10.2005 22:41:56.743 Config: C:\Documents and Settings\Malik\Application Data\AVG7\avgemc.cfg
1.10.2005 22:41:56.873 Using Cyrus SASL 2.1.13
1.10.2005 22:41:57.073 Starting the main loop
1.10.2005 22:41:57.073 Redirector version 70004
1.10.2005 22:41:57.123 [110] AutoPOP3(10110): Starting server
1.10.2005 22:41:57.123 Queue processing started
1.10.2005 22:41:57.544 Offline connection detected
1.10.2005 22:45:01.909 Online connection detected



Logfile of HijackThis v1.99.1
Scan saved at 11:39:37 PM, on 10/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}

- (no file)
O2 - BHO: IeCatch2 Class -

{A5366673-E8CA-11D3-9CD9-0090271D075B} -

C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F}

- c:\program files\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar -

{E0E899AB-F487-11D5-8D29-0050BA6940E3} -

C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Multimedir KBD] C:\Program Files\Multimedia

Hotkey Program\MMKbd.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program

Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad

Muncher\AdMunch.exe /bt
O4 - HKLM\..\RunOnce: [ Privacy Eraser Pro] C:\Program

Files\PrivacyEraser Computing\Privacy Eraser Pro\PrivacyEraser.exe

/ErIEIndex
O4 - HKCU\..\Run: [AllToTray]

C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE
O4 - Global Startup: MVSLOADR.lnk = C:\Program Files\Animated

Desktop\MVSLOADR.EXE
O4 - Global Startup: ClipClear.exe.lnk = D:\Multimedia\Desktop

Utilities\Clipclear\ClipClear.exe
O4 - Global Startup: Multimedia Hotkey.lnk = C:\Program

Files\Multimedia Hotkey Program\MMKbd.exe
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -

res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program

Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program

Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: FlashGet -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O17 -

HKLM\System\CCS\Services\Tcpip\..\{98AF6087-FB0C-4148-B468-006

4B96CDC84}: NameServer = 203.128.3.18 203.128.7.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o.

- C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZONELABS\vsmon.exe
LoPhatPhuud
Oct 2 2005, 09:57 PM
Mal1k,

You posted this problem at SpywareInfo as well. You have a response there so I am closing this log.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.