Hello,

After “googling” alot to solve my problem, I decided to register to this forum and write some lines about it.
In the hope someone can help me.

A couple of days ago, Avast started “pop-up”-ing saying “too many identical e-mails etc.”. The senders, recipient, and subjects were obviously spam-oriented ;D
I rad the other threads in this forum dealing with the “too many mails” problem. Each had a solution where the threat was detected.

So I started using the different tools recommanded here and there on the net for such cases.
I run XP Pro SP2 (uptodate), Avast! Free home (uptodate), Kerio Personal Firewall 4

I used :

• ewido in safemode- hijackthis with the different parsing online tools also- online scan by panda, kaspersky, bitdefender

None of the methods revealed anything !!! ???

So I am near to re-install all the XP stuff, which I would not like to.

By reading this helpful forum, I tuned the avast.ini file to show better mail log information : avast receives the mail from process \windows\system32\services.exe on port 12025 (SMTP) >:(
What is this ? does it mean that some malware modified this program ?
Does somebody have a new direction where to search ?

Here is my hijackthis log :

`Logfile of HijackThis v1.99.1 Scan saved at 12:01:24, on 20/05/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [LXBLKsk] C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe -startup
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e\Disk_Monitor.exe
O4 - HKLM..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office2000\Office\OSA9.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .STK: C:\Program Files\Internet Explorer\PLUGINS\nphsw32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

`

If somebody can help me I would be very grateful.

Hekto

An on-line analysis of your log HiJackThis Analysis shows this as Possibly Nasty Other than that nothing else.
O4 - HKLM..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe

However, there are instances in a google search for wltray.exe that say it is part of the Dell Wireless WLAN Card and provides additional configuration options for these devices. So if you have one of these no problem, if not check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.
Or VirusTotal - Multi engine on-line virus scanner

It is strange that Kerio didn’t ask permission for the sending process, so it must be using OE and or it may well be a hidden process.

Also see Hidden things http://invisiblethings.org

RootKitRevealer from system internals - http://www.sysinternals.com/utilities/rootkitrevealer.html, this will check if there is in fact a rootkit type virus deeply hidden.

Thank you DavidR.

For email, I do not use OE.
I only use thunderbird (1.5.0.2) or webmails like gmail or yahoo’s webmail.
TB is the default mail program on my system.
When I use TB, Avast mail logs show it.
That is what makes me think of a very insidious malware.

I’ll try the links you gave.
I’ll be back soon… I guess

By the way, wltray seems to be safe : it is for my Belkin wireless adaptator.

By the way, wltray seems to be safe : it is for my Belkin wireless adaptator.

It is possible that the possible spambot would use your default email program, some actually come with their own smtp program, these are usually caught by a good firewall.

Hi Hekto :

  The HijackThis log you posted looks like it was run in
  "SAFE Mode" !? If yes, NEVER post a HJT log on a forum
  that has been run in that mode, but only in "Regular
  Mode".
  Even better, Hijackthis logs are better "evaluated" by
  Experts on antiSPYWARE forums, & since you appear to
  have Spybot, perhaps you should use THEIR forums
  at : http://forums.spybot.info !?

Actually, I don’t exactly remember, but I trust you.
I will regenerate it.

Spybot search and destroy is one of the programs I tried.
I forgot to mention this before.
I’ll take a look at that forum.

Thank you for your advices.

I post here, because I found people having same symptoms with avast.
It seems they found good help.

I’ll take the second option, since the avast logs do not show TB activity when this happens, while TB is pointed out when I send regular emails

Trend Micro BlackLight is also worth a try: it will detect rootkits like Rootkit Revealer but can also remove them.

http://www.f-secure.com/blacklight/

Yep! blacklight found http://www.bleepingcomputer.com/startups/sysbus32.sys-14340.html !
hope it was my problem.

thanx a lot to all of you.

I’ll come back if it was not the solution.

Bye

Hopefully that was the problem, welcome to the forums.