Hi!

I will try to explain the better I can, sorry for my english mistakes.
2 days ago the computer was good, but yesterday I felt there was something not normal. I took a look to the active connections and I saw there was a lot of connections to other IP:port 25 from my IP:ephimeral port, so I took Wireshark and I analyze all traffic and I saw there were trying to connect mail servers to send spam with mail accounts I had never seen.
So I quit internet wire and I start with a Avast! scanner… nothing, so I take Spybot S&D… nothing, so I take Malwarebytes’… nothing.
I have seen and the process who make it is the svchost.exe (one of the 2 or 4 that are in the machine), it starts after I connect the computer to the internet, before it doesn’t try, but there is not other suspicious process running in the machine.
Also I have tried with HijackThis, but I haven’t see anything strange. I have seen the services are running by: Start → Execute: services.msc, and I have stopped all process I could stop and spam didn’t stopped. I see also with sysinternals if I see something strange, but I didn’t see it :S .

I haven’t installed anything in my computer, I have a Windows XP updated (SP3), Comodo as firewall, and Avast! as antivirus, all time on.
Now I have blocked all connection out to the port 25 by firewall.

Have you any idea how I can know from when it is doing that?

Thanks a lot,
Best regards,

Jose

Please use Combofix and post the result. You do not need to install the Recovery Console. Be sure to disable all AV/AS Guards while using it
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Download it to your Destop, copy/past the follow line into run/execute and press enter:

“%userprofile%\desktop\combofix.exe” /killall /skipfix

Hi tiolalu

I heared about this svchost.exe

This is the information about this program so far

Symptoms

It has come to our attention that in some non-standard versions of Windows XP, avast! antivirus may incorrectly identify an important system file as a rootkit infection. This concerns the French version of Windows XP, Service Pack 1 and the Russian version of Windows XP, Service Pack 2.

The following virus message is reported:

Win32:rootkit-gen [Rtk] has been found in c:\windows\system32\svchost.exe

This is a FALSE POSITIVE alert and the file should not be deleted.

Referrer site :

http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=306

Reminder :

If the program is using 50% CPU usage or if you do CTRL + alt + del and theres two file named svchost.exe

1st one is using System (then is safe)

2nd the other is being used by User (Omg its a Trojan)

Note

If your answer is no. 1 then ur safe

But if you answer no . 2 then follow this guide below

Then i suggest u use this guide to remove it

http://forum.avast.com/index.php?topic=38203.0

Hope This Help

lind thanks, but that is not my problem, in mine Avast! detect nothing, and it has to detect something (I guess).

raman thanks for the response, here is the log, I hope I had done it well (I had overwrite the svchost.exe yesterday for another from a clean computer): attached

->Log Deleted (attached in the first post)

->Log Deleted (attached in the first post)

->Log Deleted (attached in the first post)

->Log Deleted (attached in the first post)

It looks like your svchost.exe is from Windows XP sp2

Please open notepad and copy/paste the text in the quotebox below into it:

filelook:: G:\.\RECYCLER\RECYCLER\autorun.exe G:\RECYCLER\RECYCLER\autorun.exe c:\windows\system32\svchost.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which we will require in your next post.

Maybe you should attach the Report instead of copy/paste it…

Thanks again raman and sorry for the C&P, I will apreciate if a moderator can delete the posts.

I have done two times that,
one with the SP2 svchost.exe (I get it from a friend with a clean computer but it did the same as mine)
one with the SP3 svchost.exe (The original).

Do you still have the problem and what kind of drive is g:?

Not at the moment, yesterday I had tried to reproduce it but it did nothing. As I block the port 25, the spam stop and time after I allow connections to the port 25 it starts.
May I do the same thing with ComboFix when the computer is sending spam?

Maybe my computer is waiting for a email list to spam, and if it hasn’t received it it doesn’t start :S .
Really I don’t know what think about this.

The drive G:… I don’t know, I have C, D and E only.

Thanks a lot.

There was a drive g: some time ago connected to your PC and it looks like, that it was infected(G:\RECYCLER\RECYCLER\autorun.exe).

About Combofix, you should not use it without advice, because it is a very powerfull and often updated Tool(more than once a day).

Consider to make some more controlscans with eg. http://freedrweb.com/

and the Bootcd from Avira Antivir Rescue System:

http://board.protecus.de/files/avira-bootcd-info/index_en.html

both Programs do not need an installation.

Ok Thanks, I will do it .