NTKrnl and Win32:Agent-JXC [Trj]

[Richie1888]

I have both of these on my pc at the moment and cant get rid of them

at boot up I know get



also at boot up avast stop 2 connections outgoing

-----------------------------------------
http:// 81.29.241.236 / spoolsv32.exe\[UPX]

which is virus

Win32:Agent-JXC [Trj]
-----------------------------------------

and

----------------------------------------------
http:// 81.29.241.180/ acc2/ spoolsv32.exe\[UPX]

which is virus

Win32:Agent-JXC [Trj]
----------------------------------------------

the only option I get is to abort the connection which I do.

I have run boot scans and normal scans and avast finds nothing although the virus is mentioned in the second most recent vps.

Another worrying this is that the avast script blocker apears out of no where loads up and disappears could something be making a connection to the net when this happens?

any advice from you guys would be great and sorry my first post is asking for help.

Richie

[FreewheelinFrank]

Hi Richie1888,

Well, you have something on your system that avast! either can't see or can't detect.

I'd suggest some rootkit scans first, then scanning with some other anti-malware products to see if anything picks it up.

Look for and remove rootkits (hidden malware):

Panda Antirootkit
Blacklight
AVG Anti-Rootkit

If a rootkit is detected, run a boot time scan with avast! afterwards.

Here are some more options if that doesn't work:

Try a scan with DrWeb CureIT! and AVG Anti-Spyware Free (Requires Win2k/XP)

Try some online scans. (Disable avast! while scanning.)

F-Secure
BitDefender
Panda
Trend Micro Housecall

If still having problems, post a HijackThis! log.

When you have finished, scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.

[DavidR]

Hi Richie1888,

Please break the urls to the infected/suspect files in your post to avoid accidental exposure to malware.

e.g. http :// 81.29.241.180 /acc2/spoolsv32.exe although the \ at the end of the url does result in a "Can`t fetch file pointed by your url. This may be caused by several reasons:" error on the DrWeb link checker.

A new tool RogueRemover, available here http://www.malwarebytes.org/rogueremover.php might also catch what seems to be a rogue security application.

[Richie1888]

Hi Richie1888,

Well, you have something on your system that avast! either can't see or can't detect.

I'd suggest some rootkit scans first, then scanning with some other anti-malware products to see if anything picks it up.

Look for and remove rootkits (hidden malware):

Panda Antirootkit
Blacklight
AVG Anti-Rootkit

If a rootkit is detected, run a boot time scan with avast! afterwards.

Here are some more options if that doesn't work:

Try a scan with DrWeb CureIT! and AVG Anti-Spyware Free (Requires Win2k/XP)

Try some online scans. (Disable avast! while scanning.)

F-Secure
BitDefender
Panda
Trend Micro Housecall

If still having problems, post a HijackThis! log.

When you have finished, scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.

Hi Frank

Thanks for the advice I will definately give it a try.

Just to advoid any confision by malware you are refering to spyware? If so I have scanned with latest updates of spybot and adaware.

Avast does have the virus listed on its second last virus update whihc I have and when I run normal scans and boot scans nothing is found.

Do you have an opinions on why the script blocker is running speradically when the PC is on is something managing to get out or is it blocking something?

---------------------------------------------------------------------------------------------------------------------------------

Hi Richie1888,

Please break the urls to the infected/suspect files in your post to avoid accidental exposure to malware.

e.g. http :// 81.29.241.180 /acc2/spoolsv32.exe although the \ at the end of the url does result in a "Can`t fetch file pointed by your url. This may be caused by several reasons:" error on the DrWeb link checker.

A new tool RogueRemover, available here http://www.malwarebytes.org/rogueremover.php might also catch what seems to be a rogue security application.

Hi David I have made a change now let me know if that does the trick.

I will give that a try and get back to you guys.

[DavidR]

That's fine it just good practice not to have live links to suspect files, it stops the curious and others from accidental exposure.

[Richie1888]

That's fine it just good practice not to have live links to suspect files, it stops the curious and others from accidental exposure.

agreed truth be told when you go into the links it tells you that your not authorise to view anyway but I see your point

[FreewheelinFrank]

Malware means malicious software, which can refer to viruses, worms, Trojans, spyware and even some adware.

In this case we're probably looking for a Trojan downloader or a worm.

There's a lot of overlap between different scanners anyway, so the definition is not that important.

avast! detects what the malware on your computer is trying to download from the website and is blocking the download, but it does not detect the malware itself.

This could be because the malware (Trojan dowmloader or worm) on your computer is hidden, or it's not in avast!'s definitions.

So the steps to take are a) scan for possible rootkits hiding the malware and b) try some other scanners to see if they can find it.

[Richie1888]

ok mate cheers will give this a try and let you know.

[Richie1888]

Hi again guys.

Good news I managed to get the virus off my pc 

After the latest update to avast It instantly picked up 2 virus's which I moved to the chest as opposed to deleting and run Trend Micros Housecall which found a few more unwanteds which I deleted. Although I had done this the NTKRNL still remained at start up, I went searching for the file whcih could be loading this in the system32 folder I found NTKRNLPA.exe . This was very similiar to the splash screen I was getting except it was PE, I thought it was a bit to much of a coincidence so I removed this file to the desktop and archived it. When the PC rebooted Success the NTKRNL was gone and the outgoing connections had stopped.

Thanks for all the help guys but I was wondering if I can run something else by you.

I am concerned with the amount of SVCHOST.EXE s running on my pc. Comodo my firewall believes that seomthing on the pc is modifying these before they make outgoing connections. At the last count I had 4 running but I have seen many more that this run at any given time.

I am slightly concerned as sometimes they can be using up to 22ks worth of memory. Not a great deal to lose I know but thats alot of memory consider IE takes about the same amount up when its running.

Sorry to ask again but any advice or opinions would be great.

Thanks

Richie

[DavidR]

There will always be multiple occurrences of svchost.exe running (care should be taken on the spelling as that is a common tactic) as it is a service host.

I currently have 4 occurrences of svchost.exe running, you can use a tool like process explorer to investigate what it is running but there is an easier way.

The infamous SVChost.exe issue
To find out what is using the SVCHOST Service.
Windows Start, Run, type (or copy and paste) "cmd.exe /k tasklist /svc > c:\tasklist.txt" without the quotes - this opens a command window and runs the tasklist for services, the > c:\tasklist.txt outputs the results to the file and location given:

svchost.exe                 1020 DcomLaunch, TermService                     
svchost.exe                 1080 RpcSs                                       
svchost.exe                 1108 AudioSrv, BITS, CryptSvc, dmserver,         
                                 EventSystem, helpsvc, HidServ, Netman, Nla, 
                                 RasMan, Schedule, SENS, SharedAccess,       
                                 ShellHWDetection, TapiSrv, Themes, winmgmt, 
                                 wscsvc, wuauserv                             

[Richie1888]

thanks thats a great tip actually 

is there anything I should be avoiding or anything that should stand out as a problem ?

[DavidR]

Your welcome.

It is difficult to say what to lookout for or avoid as the permutations are endless, all sorts of things hook on to svchost, but for the most part they are valid and don't ask for outbound connections. For the listed names of processes using svchost they are likely to be windows functions/services and will show on the services.msc command. You can also google any suspect service/function using svchost.exe.

What I would suggest you copy this tip (and possibly a link to theTopic) into a notepad text file so you can remember it and use the command string when you want to check out what is using svchost.exe.

[Richie1888]

thanks mate ill do that