Avast WEBforum
Other => General Topics => Topic started by: szc on December 29, 2007, 03:04:43 PM
-
Turned on my PC this morning and this is what popped out on my screen...
Another program is using this file:
C:\Windows\System32\Gebyw.exe
Used PrevX CSI and these are the readings:
(http://www.imgplace.com/directory/dir4027/1198937066.jpg)
-
Prevx CSI doesn't report avast! ashDisp.exe as Dropper.Agent.GIT on my computer. 12/29/07 9:30 am EST
(http://img297.imageshack.us/img297/5859/20071229prevxwu3.th.png) (http://img297.imageshack.us/my.php?image=20071229prevxwu3.png)
-
Something is definitely wrong here... I'm restoring my system to a system image I made two weeks ago. Have no patience to go through removal process and I am sure even when it's completed, nothing will be the same as before... so, backup images are a way to go. Thanks God for Norton Ghost, never ever let me down.
-
Definitely a vundo infection - they are getting even sneakier now by changing other programme files to do their dirty work
-
There was a case a few months ago where ashdisp was in fact infected. I don't remember who it was, but they where a regular on this forum at the time. All I recall was comparing file sizes and that DavidR also commented.
-
What is even crazier, is the fact that I went back all the way to my July System Restore Image. When I scanned everything with Prevx CSI, similar thing happened (Trojan.Vundo), but the only difference avast! file is not infected. And guessing right no more avast! asking me to restart my system (from the other thread I started in this forum). So it could be that these two things have something in common.
The question... what happened to avast! protection ? Isn't it supposed to protect us from things like this ?
Ok, going back to my System Restore images... I'm going all the way back to the last year to see what's gonna happen when I restore one of those images... huh, difficult to enjoy these holidays when I have to sit in front of my PC whole day... ::)
-
Yes, I forgot to say, I've noticed few applications had exactly the same files (exactly the same name and extension) residing inside the same folder (how is that possible is beyond me)...
I remember all of them had same size... some 980 Kb or something if I can remember well.
Prevx is reporting this thing... can't fix anything since I don't have registered version ( ::) ::) ::) ). Nice touch PrevX developers ^%$#@&%$&%
There is also a Norton Vundo removal tool... funny thing is that it can't find a thing on my computer. Ha ? What now ?
It looks like I really have to go all the way back to the last year with my Ghost System Images.
(http://img2.freeimagehosting.net/uploads/e26375ddd2.jpg)
-
Hi Sash can you download and run this programme - it will look for any altered programme files. They are changed in a specific and detectable way
- Download RenV.exe by sUBs (http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe) to your desktop
- Double click on it to run it
- It will search your system drive looking for any modified .exe file and will produce a log for you.
- Please attach this report to your reply (Do not copy and paste)
-
How is that possible is beyond me...
Isn't it an infection that passed through avast protection?, i.e., a missdetection of avast?
-
Sasha, are you saying in other thread...
It could however have something to do with this (?) :
http://forum.avast.com/index.php?topic=32297.0 (http://forum.avast.com/index.php?topic=32297.0)
that avast could be restarting because it's corrupted (infected) and then it's repaired by the update and then requires a reboot?
-
I guess so, sure it looks like that...
I am doing a boot scan as we speak (posting this from my laptop), and avast! already found some file named svcUpdate.exe or something like that that's infected. I sent it to chest... what do I do with it now ? Do I have to replace it with the same file that's not infected or something else ?
Have to go out now, I will leave my desktop PC and avast! boot scan to fight. When I am back I will see what's happening. If nothing helps, I am afraid I will have to restore one of my oldest system images... :-[
-
Do I have to replace it with the same file that's not infected or something else ?
Which file? svcUpdate.exe or any of avast files?
-
Have to go out now, I will leave my desktop PC and avast! boot scan to fight. When I am back I will see what's happening. If nothing helps, I am afraid I will have to restore one of my oldest system images... :-[
Give essexboy's suggestion a shot first.
-
Here is a link to where this tool was used in a vundo infection http://www.bleepingcomputer.com/forums/topic122459-15.html#entry697476 and as you can see a lot of legit files were corrupted. This tool is about one week old
-
Thank you guys so much for all replies and your help, I really appreciate everything! ;)
Unfortunately I haven't noticed my friend's (essexboy) reply with the link for that little tool, and I already restored one of my old system images that had no infected files inside... totally clean.
avast! boot scan started to full around saying it is unable to repair some files, so I gave up and went with restoring one of my old system images.
Problem is solved, I just wish I've noticed that post on time, so at least I could have given it a try and see what happens. Anyway, this is the situation and I had a lot of extra application to reinstall, but at least it's 100% clean now.
Thanks again people, I appreciate your assistance !
-
It makes me wonder how long your system was infected ... And no detection from avast! for all that time, were you able to send those infected files to alwil, or perhaps scanned them over at virustotal ?
-
Files were definitely infected... last system image I've tried was going back to July.. that one was still infected. First system image that contained infected ashDisp.exe is the one from September. I had to go all the way back to the last year to make sure.
-
First system image that contained infected ashDisp.exe is the one from September.
Couldn't it be a false positive from avast itself? I mean, the updated VPS is detecting them as being infected?
Files were definitely infected...
What does VirusTotal say about them?
-
The strange thing is - if ashDisp.exe was modified (infected), it should announce that when started...
-
This behavoural change in Vundo was noticed first about 2 weeks ago and it then took about a week for a search and repair tool to be developed. It appears to have copied some elements from AWF
-
Sasha,
Any idea where the infection might have come from?
-
First system image that contained infected ashDisp.exe is the one from September.
Couldn't it be a false positive from avast itself? I mean, the updated VPS is detecting them as being infected?
Not likely, since avast! never reported anything to me... scanning my system wouldn't show anything. Now, when I have perfectly clean installation of my system (used one of the cleanest system images I've created just right after installation of Windows), avast! works like a charm. Not a single time it asked me to reboot except when it was doing program update at one point.
Files were definitely infected...
What does VirusTotal say about them?
Trojan.Vundo infection
The strange thing is - if ashDisp.exe was modified (infected), it should announce that when started...
Yes Igor, indeed it's strange.. and it still riddles me. I have no idea as why it was happening.
Sasha,
Any idea where the infection might have come from?
Not sure, because it started so long ago... but it must have been I downloaded some .exe file or something that sneaked inside... that was easy I guess, since avast! never alarmed me. Just to say that I am not visiting those nasty sites, and Site Advisor was always on... when site is marked as green, I am in... if it's suspicious, I am out...
-
Igor, I suppose that that particular Vundo signature was already added to avast...
-
Well,well,well.....ashdisp does seem to get noticed. For my current version
Ikarus - - Trojan.Win32.Patched.af ;)
Not reporting a problem, just a comment.
Whatever was altering the file must have been around for awhile as there has been a couple of program updates. Properties of the file show it was created in Oct and modified in Sept 2007. Or doesn't this file get updated?
-
These are the CRC and MD5 for my ashdisp.exe
-
Just as I thought, FP. All report nothing now.
File size: 79224 bytes
MD5: 8cf58586ae4577ed71ffe8883a6d4b3b
SHA1: 13dca1a373b3efa901dfbd91373433d8bd9881b1
Different numbers than yours, but I'm on version 4.7.1043
-
These are the CRC and MD5 for my ashdisp.exe
Our's match
v.4.7 b 1098
88D86112DD9F2BB6A603674706C7E846 ashDisp.exe