Author Topic: concurrent connections limit in avast  (Read 67185 times)

0 Members and 1 Guest are viewing this topic.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: concurrent connections limit in avast
« Reply #30 on: November 30, 2007, 06:46:01 AM »
There is a long history here of winlogon or services appearing to be the process sending spam mail without itself being infected on file. 

I do not have a simple answer but these links point seem to indicate that the basics of activity reported here is not uncommon:

http://vil.nai.com/vil/content/v_137439.htm

http://vil.nai.com/vil/content/v_139593.htm

That is connecting via port 80 to a site to get instructions and mailing list and then generating the resulting spam out via its own built in SMTP engine.

It suggests possibly something running at startup that is able to compromise the winlogon and/or services space without compromising those processes on file (so you can send them to VT until the crack of doom and they will never register anything). 

A hijack this report might shed some clues.



 
« Last Edit: November 30, 2007, 06:56:18 AM by alanrf »

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: concurrent connections limit in avast
« Reply #31 on: November 30, 2007, 09:26:17 AM »
alanrf: you're right.. i think that there's some kind of hooker (maybe rootkit), which modifies winlogon after its loading and the physical file is untouched...

Offline ermite67

  • Jr. Member
  • **
  • Posts: 23
Re: concurrent connections limit in avast
« Reply #32 on: November 30, 2007, 09:37:02 AM »
Hi,

Panda Anti-rootkit have found a Rootkit (c:\windows\system32:xpdt.sys), have cleaned it, but then result is than my computer is infected again : see panda_rootkit.jpg in attach.


Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: concurrent connections limit in avast
« Reply #33 on: November 30, 2007, 09:39:04 AM »
try to run www.gmer.net instead of panda ;)

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: concurrent connections limit in avast
« Reply #34 on: November 30, 2007, 10:00:56 AM »
In doing a scan I cannot find anything reported about xpdt.sys other than "this a very nasty piece of software".

I have to ask then:

Has the original poster not performed an avast scan?

-or-

Has avast failed the original poster (and the community at large) in not detecting this apparent malware (if Panda can report it - should not avast too)?




Offline ermite67

  • Jr. Member
  • **
  • Posts: 23
Re: concurrent connections limit in avast
« Reply #35 on: November 30, 2007, 10:48:56 AM »
Hi,

@Maxx_original,

Gmer 1.0.13 crash my computer that reboot. I have re-run it and  re-crash...

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: concurrent connections limit in avast
« Reply #36 on: November 30, 2007, 10:58:47 AM »
aaargh >:(... it's some kind of protection against gmer i guess..

Offline ermite67

  • Jr. Member
  • **
  • Posts: 23
Re: concurrent connections limit in avast
« Reply #37 on: November 30, 2007, 11:01:51 AM »
I have dowloaded and not is runing Microsoft® Windows® Malicious Software Removal Tool (KB890830).
Wait and see...

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: concurrent connections limit in avast
« Reply #38 on: November 30, 2007, 11:23:02 AM »
Quote
aaargh ... it's some kind of protection against gmer i guess..

Quite possible ... it runs just fine on my system ... but then I do not have xpdt.sys

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: concurrent connections limit in avast
« Reply #39 on: November 30, 2007, 11:30:58 AM »
btw: Przemek from GMER already reported xpdt to us and we're detecting it as Costrat... i don't know which variant of xpdt is present on your system, but you should schedule a boot time scan and look for any Costrat references..

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: concurrent connections limit in avast
« Reply #40 on: November 30, 2007, 11:37:10 AM »
btw: if you are able to locate the xpdt.sys someway (through cmdline e.g.) we'd be glad to see it... we can report it also to Przemek form GMER to make him able to fix the crash/reboot problem..

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11805
    • AVAST Software
Re: concurrent connections limit in avast
« Reply #41 on: November 30, 2007, 11:38:09 AM »
Btw, for avast! to be able to detect and remove the rootkit file (c:\windows\system32:xpdt.sys), the latest betaversion is certainly needed.
(I'm not saying it would detect it if the rootkit is active (don't know), but older versions of avast! certainly wouldn't, even if not active.)

Offline ermite67

  • Jr. Member
  • **
  • Posts: 23
Re: concurrent connections limit in avast
« Reply #42 on: November 30, 2007, 11:56:29 AM »
Result of Rustbfix.exe :
================

AVENGER.TXT :
==================================================================================
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mkjrtfkj

*******************

Script file located at: \??\C:\Program Files\hvtts^wx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver xpdt unloaded successfully.
Program D:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished!  Terminate.


PELOG.TXT :
==================================================================================

Rustock.b-ADS attached to the System32-folder:
Attempting to remove ADS...

Looking for Rustock.b-files in the System32-folder:
Commande ECHO d‚sactiv‚e.


******************* Post-run Status of system *******************

Rustock.b-driver on the system:
YOU NEED TO CONSULT MORE ADVANCED TOOLS!!
The Gmer-rootkitscanner may be a good place to start.
Gmer rootkit-scanner may be found here: http://www.gmer.net

Rustock.b-ADS attached to the System32-folder:
Commande ECHO d‚sactiv‚e.
You should either run the tool again or consult more advanced tools
The Gmer-rootkitscanner may be a good place to start.
Gmer rootkit-scanner may be found here: http://www.gmer.net

Looking for Rustock.b-files in the System32-folder:
Commande ECHO d‚sactiv‚e.
You should either run the tool again or consult more advanced tools
Swandog46's Avenger or Gmer's-rootkitscanner may be a good place to start.
Swandog46's Avenger may be found here: http://swandog46.geekstogo.com/avengernotes.htm
Gmer rootkit-scanner may be found here: http://www.gmer.net


******************************* End of Logfile ********************************


Offline ermite67

  • Jr. Member
  • **
  • Posts: 23
Re: concurrent connections limit in avast
« Reply #43 on: November 30, 2007, 07:29:09 PM »
Hi,

Result of BitDefender Online Scanner : No virus found


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: concurrent connections limit in avast
« Reply #44 on: November 30, 2007, 07:41:08 PM »
After installing Comodo v3 firewall, I've starting to get the same problem with the following configuration:
Stunnel & avast & Windows Mail & Vista
Until yesterday, I can download and send email (both scanned by avast) without problems.
Now, I get concurrent connections limit exceeded.
Any suggestions?

Computer seems clean.
On XP, same configuration (Stunnel & avast & Outlook Express) works.
By the way, MS Outlook and Thunderbird fail with the same error (127.0.0.1 connection time exceeded).
« Last Edit: November 30, 2007, 07:43:12 PM by Tech »
The best things in life are free.