Avast found AOSMTP.dll, but no other software has???

I did multiply scans with Avast which came up with this…

c:\System Volume Information.…AOSMTP.dll

c\windows\downloaded installations.…\AOSMTP.dll

127.0.0.1. mpa.one.microsoft.com

Win32:Trojan-gen{other} Malware
c:\System Volume Inofrmation_restore(f20D1323-040F-44C5-a3a

I tried putting it in the chest, I’ve tried deleting, but Avast at the end of the scan tells me it can’t due to wrong file type or something to that extent.

Malwarebytes, came up with nothing
Threatfire, came up with nothing
Superantivirus, came up with nothing
Spywaredoctor, listed a bunch of stuff but I’d have to pay to remove, So I don’t really trust that software.
Ad-aware, came up with nothing
I even used Eusing free registry cleaner but did not find anything listing AOsmtp.dll

So I don’t know what to do. :confused:

Hi Vstorm,

If you have installed this AOSMTP.dll and you have ContactManager or Gecko Mail then the file is legit,
you can check up the dll against the information here: http://help.geckosoftware.com/support_forum/viewtopic.php?t=2537
In mentioned case this is a FP from avast av and you can make an exclusion for this dll, and wait until the FP is no longer there in a coming iAVS-update,


File description:  AOSMTP Module
Type:              Application Extension
File version:      6.4.1.3
Product name:      AOSMTP Module
Product version:   6, 4, 1, 3
Copyright:         Copyright 2005 AdminSystem Software Limited
Size:              264 KB (270,336 bytes)
Date modified:     5/29/2005 8:06 PM
Language:          English

md5 checksum:      172d09d775d3af702f9ec7b8d32cc36b 

In other cases it is malcode and should be treated like described below:

Aosmtp.dll is Troj/Banker-DIO: re: http://www.sophos.com/security/analyses/viruses-and-spyware/trojbankerdio.html
Related files:
%Temp%\data.inf
%System%\aosmtp.dll
%System%\azip32.dll
%System%\cshost.exe
%System%\cshost.ini
%System%\ijl11.dll
%System%\lovecard.scr
%System%\spooll.exe
Kill the file aosmtp.dll and remove aosmtp.dll from Windows startup.

To get a second opinion, you can check the flagged dll aosmtp.dll agsinst virustotal.com and report the results here to see if it is indeed a false positive,

polonus (malware fighter)

Can you inform the file as being a false positive? (click on the bottom right of the virus warning message).

To know if a file is a false positive, please submit it to VirusTotal and let us know the result. VirusTotal has a file size limit of 10Mb. You can use VirScan also.
If it is indeed a false positive, send it in a password protected zip to virus@avast.com. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be careful, you should ‘exclude’ that many files that let your system in danger.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

Hello, and thanks for the response! To my knowledge I never installed any aosmtp.dll. I also do not have gecko mail. I’m not sure what “contact manager” is, but if it is related to msn live, then I have that.

I also just downloaded and ran Trend micro hijackthis, but did not see anything listing aosmtp.dll. I have a log of it but would rather not post it out in the open. Could I send a message privately to you with the log?

In regards to the second response, I’ll look into what you have suggested right now. Thanks again!

Hi Tech,

Thanks for the avast specific addenda to the above postings, we should have a sticky for that to point out at, but you did that more or less with your links,

Damian

I’m not an expert on HijackThis… But you can check the automatic analysis of your HijackThis log here.

You can find more info in the links of the last column of this table.
That info could guide you on the cleaning process.
Anyway, if you have doubts, just post here.
Also, take a careful look at the first column of the table:

  1. If you don’t recognize a legit program in one of the items marked as FIX IF UNKNOWN, please post it back here and maybe we can help you. Or, if you’re sure it’s a malware item, you can remove it as posted bellow.

  2. If you agree with the automatic classification of the infected items marked as FIX (CHECK NOTES!), you can turn back to HijackThis program, check the box of this item and then remove it using the button ‘Fix checked’.

Hope it helps.

If you want to do it by yourself, click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

I updated Avast again, and ran a scan. This is what came up as a virus…

C:\System Volume Information_restore{F20D1323-040F-44C5-A3AD-47858FA3E65F}\RP808\A0064501.msi\Data1.cab\AOSMTP.dll

End report when I tried to put in a chest or delete it…

c:\System Volume Information.…\AOSMTP.dll Infection:Win32 Trojan-gen{Other} Error occurred during moving file to chest: The operation is not supported for this file type of archive.

c:\System Volume Information.…\AOSMTP.dll Infection:Win32 Trojan-gen{Other} Error occurred during file deleting: The operation is not supported for this type of archive.

I double clicked on the System Volume Information folder and I got an access is denied pop up. I cant even upload it to allow one of those links to examine it. Windows wont let me. :frowning:

If the boot time scanning couldn’t manage the file, you need to delete all your old restore points to get rid of that files…

Disable System Restore on Windows ME, XP or Vista. System Restore is not available in Windows 9x and 2k. After disabling you can enable it again.

Ok I have disabled it. What do I do next? re scan? or Re enable then scan? or reboot? or?

Boot, enable system restore again, create a restore point, schedule a boot time scanning.

Ok I did that and no viruses detected. Not sure what was “fixed”, but it makes me want to uninstall xp and go to linux even more. lol

Thanks for the help!!!

You’ve deleted the restore points, create a new clean one, just that.