Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: grouchomrx on May 01, 2008, 06:42:21 PM
-
Hi, I've detected a trojan inside the PC. It seems to conect smtp servers to send spam. During Windows Boot, Avast detect as: Win32:Agent-WJT [trj], in a file called C:\Windows\Temp\Bn5.tmp Avast promts to delete, so It deletes, but it appears again while rebooting.
Trying to investigate deeper, I discovered there is somthing creating lots of smtp connections to unknown servers, going through avast mail server, and it doesn't detect anything. If stoping the avast mail server, it connects using svchost.exe. Apparently, it starts only when launching internet explorer, not before.
Using Netstat, the SMTP conections are all equal to this but different server
Proto Dirección local Dirección remota Estado PID
TCP pc-xxxx:3858 mail7.hsphere.cc:smtp SYN_SENT 8488
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
I've found only 1 suspicious key using hijack, It can fix, but it appears again.
O20 - Winlogon Notify: WinNt32 - C:\WINDOWS\SYSTEM32\WinNt32.dll
I've tried to delete this dll, using killbox, but it always come again.
What can I do? I'm going crazyyy ???
Thank you.
Logfile of HijackThis v1.99.1
Scan saved at 15:50:10, on 01/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe
C:\Genius\ioCentre\gTaskBar.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Genius\ioCentre\gMouseTask.exe
C:\Genius\ioCentre\gKbdTask.exe
C:\Genius\ioCentre\gAutoPan.exe
C:\Genius\ioCentre\gAutoScroll.exe
C:\Genius\ioCentre\gZoom.exe
C:\Genius\ioCentre\gMGlass.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Genius\ioCentre\gIMMgm.exe
C:\Genius\ioCentre\gDeskMgm.exe
C:\Genius\ioCentre\gTaskSwitch.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Genius\ioCentre\gKbStatus.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoSTS08.exe
C:\WINDOWS\system32\cmd.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Rosa\Escritorio\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Archivos de programa\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [mouseElf] C:\ARCHIV~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [ioCentre] C:\Genius\ioCentre\gTaskBar.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [PcSync] C:\Archivos de programa\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC340A80-4883-40FB-9DA7-D41082431B53}: NameServer = 80.58.61.250,80.58.61.254
O20 - Winlogon Notify: WinNt32 - C:\WINDOWS\SYSTEM32\WinNt32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
-
Try a boot time scan with avast! first. Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested.
This has appeared on the forum before:
http://forum.avast.com/index.php?topic=34975.msg294992#msg294992 (http://forum.avast.com/index.php?topic=34975.msg294992#msg294992)
DrWeb seems to detect it, so you could try a scan with DrWeb CureIT! (http://www.freedrweb.com/cureit/)
-
Ok, it seems to be solved. I made a boot time scan with avast and found lots of virus containing files, then DrWeb found one more.
Thank you very much Frank ;)