Mail Bot

Hi all. I first noticed this when Bitdefender (Internet Security 2008) was notifying that it was scanning outgoing mail, many times in succession! I know my email client was not sending. When I go to settings, antivirus, more statistics, it indicates many scanned emails and in the "last scanned email" it shows there is obvious spam email activity from my computer. If I go to firewall, activity, and look under "svchost", and expand "connections", there are many open connections on port 25, which are continually updating. My PC is obviously being used as a bot to send spam. Bitdefender has picked up nothing unusual. I gave Spybot a go and it also picks up nothing threatening. Any ideas?


Cheers, Fester

Comments

  • Please post a HijackThis/Startuplist log and a GMER log.

  • I have managed to stop the activity.


    Did a Kaspersky online scan and it detected:


    Infected Object Name Virus Name Last Action


    [1344] winlogon.exe => C:\WINDOWS\system32\deskperf32.dll Infected: Trojan.Win32.Agent.dwg


    I then renamed the DLL and re-booted.


    Problem gone!


    This line from the GMER log.


    ---- Processes - GMER 1.0.14 ----


    Library C:\WINDOWS\system32\deskperf32.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [1260] 0x10000000

  • I have now installed a clean deskperf32.dll from a backup and have no issues now. BD cannot be picking up on that particular trojan??

  • Hello sir,


    please attach the infected file in a password protected archive.


    Thanks!

  • Hello sir,


    please attach the infected file in a password protected archive.


    Thanks!


    File attached. I added a Bak extension initially to prevent it loading to see if that was the problem, and it stopped the spam email activity. When I removed the Bak extension just to prove that was the cause the deskperf32.dll file disappeared on re-boot and a file called deskperf32.dll.bdren was generated and the activity started again! By adding a Bak extension to that file and re-booting the activity stopped again.

    /applications/core/interface/file/attachment.php?id=1774" data-fileid="1774" rel="">deskperf32.dll.zip