I discovered massive outgoing traffic on remote port 25 on my machine. The traffic is caused by svchost.
It was easy to discover which process it was (used a lot more memory than the usual svchost processes). As soon as I kill the process a window pops up, that windows is going to shutdown in 1 minute.
shutdown -a fixed that.
When doing a full system scan with F-Secure Internet Security 2009 it finds nothing.
I ran HJT, but found nothing suspicious:
Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 16:46:49, on 24.12.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programme\RegCure\RegCure.exe C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\emaudsv.exe C:\Programme\Gemeinsame Dateien\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe C:\Programme\Gemeinsame Dateien\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe C:\Programme\Internet Security\Anti-Virus\fsgk32st.exe C:\Programme\Internet Security\Common\FSMA32.EXE C:\Programme\Internet Security\Anti-Virus\FSGK32.EXE C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe C:\Programme\Internet Security\Common\FSHDLL32.EXE C:\Programme\Contour Shuttle\ShuttleEngine.exe C:\Programme\DellTPad\Apoint.exe C:\Programme\Internet Security\Common\FSM32.EXE C:\Programme\Contour Shuttle\ShuttleHelper.exe C:\WINDOWS\system32\MAFWTray.exe C:\Programme\Java_ME_platform_SDK_3.0\bin\device-manager.exe C:\Programme\SpeedswitchXP\SpeedswitchXP.exe C:\Programme\Ashampoo\Ashampoo UnInstaller 2010\UIWatcher.exe C:\Programme\Java\jdk1.6.0_17\bin\javaw.exe C:\Programme\DellTPad\ApMsgFwd.exe C:\Programme\Logitech\SetPoint\SetPoint.exe C:\Programme\DellTPad\HidFind.exe C:\Programme\DellTPad\Apntex.exe C:\Programme\PeerBlock\peerblock.exe C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE C:\Programme\Internet Security\Anti-Virus\fssm32.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Internet Security\FWES\Program\fsdfwd.exe C:\Programme\Internet Security\Anti-Virus\fsav32.exe C:\Programme\Internet Security\FSGUI\fscuif.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\netstat.exe C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\svchost.exe C:\hjt\Google.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Programme\Spyware Doctor\BDT\PCTBrowserDefender.dll O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Programme\Internet Security\NRS\iescript\baselitmus.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Programme\Internet Security\NRS\iescript\baselitmus.dll O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Programme\Spyware Doctor\BDT\PCTBrowserDefender.dll O4 - HKLM\..\Run: [Apoint] C:\Programme\DellTPad\Apoint.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\Internet Security\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [Contour Shuttle Device Helper] C:\Programme\Contour Shuttle\ShuttleHelper.exe O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\system32\MAFWTray.exe O4 - HKLM\..\Run: [Java(TM) ME Platform SDK 3.0] "C:\Programme\Java_ME_platform_SDK_3.0\bin\device-manager.exe" O4 - HKCU\..\Run: [SpeedswitchXP] C:\Programme\SpeedswitchXP\SpeedswitchXP.exe O4 - HKCU\..\Run: [UIWatcher] C:\Programme\Ashampoo\Ashampoo UnInstaller 2010\UIWatcher.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: PeerBlock.lnk = C:\Programme\PeerBlock\peerblock.exe O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programme\Bonjour\ExplorerPlugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O13 - Gopher Prefix: O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258060225234 O17 - HKLM\System\CCS\Services\Tcpip\..\{644EF1B1-ABB1-4DF3-85B0-2D684C1A7A93}: NameServer = 208.67.222.222,208.67.220.220 O17 - HKLM\System\CCS\Services\Tcpip\..\{FC8342CA-B1A6-48E6-8BC1-355842E0C230}: NameServer = 195.186.1.111,208.67.220.220 O17 - HKLM\System\CS1\Services\Tcpip\..\{644EF1B1-ABB1-4DF3-85B0-2D684C1A7A93}: NameServer = 208.67.222.222,208.67.220.220 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Browser Defender Update Service - Unknown owner - C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: E-MU Audio Service (emaudsv) - E-MU Systems - C:\WINDOWS\system32\emaudsv.exe O23 - Service: Emma Device Management (EmmaDevMgmtSvc) - Sony Ericsson Mobile Communications - C:\Programme\Gemeinsame Dateien\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe O23 - Service: Emma Update Management (EmmaUpdMgmtSvc) - Sony Ericsson Mobile Communications - C:\Programme\Gemeinsame Dateien\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Programme\Internet Security\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\Internet Security\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\Internet Security\Common\FSMA32.EXE O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Programme\Internet Security\ORSP Client\fsorsp.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTServ.exe O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Programme\NetLimiter 2 Pro\nlsvc.exe O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Programme\Macrium\Reflect\ReflectService.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe O23 - Service: Contour Shuttle Device Engine (ShuttleEngine) - Contour Design, Inc. - C:\Programme\Contour Shuttle\ShuttleEngine.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\Programme\TuneUp Utilities 2010\TuneUpDefragService.exe -- End of file - 8729 bytes
I also found the process to listen on port 1553 so I blocked outgoing traffic to port 25 and incoming to 1553.
Any help how to track down the trojan and to remove it would be very appreciated.