Avast WEBforum
Other => General Topics => Topic started by: Jaygee on July 03, 2009, 06:47:54 PM
-
I have 50 instances of ashMaiSv.exe and 50 instances of ashWebSv.exe listed in Windows Task Manager. They range in size from 1,272k to 3,052k for ashMaiSv.exe and 1,536k to 3,580k for ashWebSv.exe. When I first saw them propagating I was worried that they would eventually eat up all the memory and the system would lock up but when the count reached 50 they/it stopped propagating. BTW there are 4 or 5 different sizes for each of the modules in question. Does anyone have an idea why this would happen?
Thanks in advance,
Jay Gee
-
The installation isn't correct. There should only be one occurrence of the avast processes in task manager, see image.
Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?
What other security software do you have installed ?
I would suggest a clean reinstall (answer the other AV question):
Download the latest version of avast http://www.avast.com/eng/download-avast-home.html (http://www.avast.com/eng/download-avast-home.html) and save it to your HDD, somewhere you can find it again. Use that when you reinstall. Ensure that you scroll down and select the avast direct download link for the English version and not Cnet as that is for an on-line installation (not what you want to do).
Download the avast! Uninstall Utility, find it here (http://www.avast.com/eng/avast-uninstall-utility.html) and save it to your HDD. - 1. Now uninstall (using add remove programs, if you can't do that start from the next step), reboot.
- 2. run the avast! Uninstall Utility, reboot. If step 1 failed it may be necessary to run this from safe mode, once complete reboot into normal mode.
- 3. install the latest version, reboot.
-
Thanks for the reply.
2 years ago we dropped Norton/Symantec AV and went with Avast. We used the uninstall that came with Norton. We have been running Avast since and never had a problem. We also noticed that in the taskmgr list it says the user is "unknown" for nearly every task. A few say "System". I ran a virus scan with Avast of the windows folder and subs and found three modules that were all part of a Trojan according to Avast. We deleted them and rebooted but still have the multiple instances of the 2 Avast modules. We don;t use Outlook for email so we terminated that in Avast and I thought the ashMaiSv would go away from the task list but it did not.
I will follow your suggestion and I will do a complete scan of the system at boot time to make sure there is no malware around. Hopefully this will clear up our misfortunes.
Thanks again,
Jay Gee
-
Download this program,(free) install, update,and run a quick scan, please copy/paste the results.Thank you http://filehippo.com/download_malwarebytes_anti_malware/ (http://filehippo.com/download_malwarebytes_anti_malware/)
-
Whilst it has been a long time since you had Norton/Symantec it may still be worth running this tool. Though it is more for confirmation than anything.
A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039)
Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
Run MBAM as suggested and post the results.
-
Can you try an installation from the scratch?
1. Uninstall avast from Control Panel first.
2. Boot.
3. Download the latest version of Avast Uninstall (http://www.avast.com/eng/avast-uninstall-utility.html) and use it for complete uninstallation. If, for any reason, you can't run it, try booting in Safe Mode (http://www.pchell.com/support/safemode.shtml) and doing it from there.
4. Boot.
5. Download, save and install the latest avast! (http://www.avast.com/eng/programs.html) version. It will be good to accept the boot time scanning on next boot.
6. Boot.
7. Check and post the results.
-
I am going to go through the recommendations today but I first checked the Taskmgr list and found that the 50 instances are still there but the sizes have changed. Today the ashMaiSv is ranging from 360k to 620k and ashWebSv is ranging from 376k to 648k; much smaller than 2 days ago. No one has rebooted in between times and system seems stable.
Will post results later.
-
Sizes aren't going to remain the same as it is based on working memory, which is obviously going to change.
-
I finished the recommended steps and just rebooted about 10 min ago. So far I only have 18 instances (just checked again after starting IE8 and it is now up to 23 instances of each module, ashMaiSv and ashWebSv.) I guess the problem is not solved and the number of instances will continue to increase. Hopefully it will stop at 50 again. The memory usage is higher again; ashMaiSv is 3044k to 3100k and ashWebSv is 3516k to 3556k. (Just for grins I just checked again and while typing the above the count has increased to 29.) :-[
-
By the way, during the boottime scan there was one module infected.
Initialization of Chest files
------------------------------------------------------------------------------------------
Program will try to load all Chest files from the following server: (null)
FileID: 0000000001 Original file name: C:\Documents and Settings\Aloha\Local Settings\Temporary Internet Files\Content.IE5\K59KSU0F\antvrs.exe File category: 1
FileID: 0000000002 Original file name: C:\WINDOWS\system32\kernel32.dll File category: 0
FileID: 0000000003 Original file name: C:\WINDOWS\system32\winsock.dll File category: 0
FileID: 0000000004 Original file name: C:\WINDOWS\system32\wsock32.dll File category: 0
------------------------------------------------------------------------------------------
Action was completed successfully!
Explorer is showing all hidden and system files yet C:\Documents and Settings\Aloha\Local Settings\Temporary Internet Files
Does not appear when I open explorer. It only shoes "Application Data" and "Temp" under Local Settings.
Any thoughts??
Thanks in advance
Jay Gee
-
It is now 45-50 minutes later and the count has reached 50 and holding. I am curious (yet grateful) as to why the count stops at 50 instances for each module. If I wanted to shut down each of these modules under normal circumstances (ie only one of each) where would I go in AVAST to do that?
I am also looking to solve another "problem?"
In taskmgr the "User Name" is "unknown" for all but a couple of tasks that say "SYSTEM"
I have searched Google and everything that is even close is from 2005 and before and doesn't exactly match my problem.
Thanks for any insights anyone can pass on.
Jay Gee
-
Have you run the program I suggested earlier ?
antvrs.exe is from AV2008 a nasty bit of work.I assume you have already removed this program
-
To All,
Here are the results of the MBAM scan. YES it did find some remnants of the AV2008 that we fought a while back.
If this virus/trojan/malware is so old why doesn't AVAST find it?
========================================================================
Malwarebytes' Anti-Malware 1.38
Database version: 2379
Windows 5.1.2600 Service Pack 3
7/6/2009 9:56:30 AM
mbam-log-2009-07-06 (09-56-18).txt
Scan type: Quick Scan
Objects scanned: 123691
Time elapsed: 10 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
c:\documents and settings\Aloha\Application Data\AntiVirus (Rogue.AntiVirus2008) -> No action taken.
Files Infected:
c:\documents and settings\Aloha\application data\antivirus\antvrs.exe (Rogue.AntiVirus2008) -> No action taken.
C:\WINDOWS\system32\win32.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\iaxcfg32.dll (Trojan.Agent) -> No action taken.
==============================================================
Maybe the newest version of AVAST will catch more!
Thanks for your help. At this point I haven't removed the selected items. I will do so and reboot to see how we make out.
.
.
-
Yes you should run MBAM again and allow it to remove them.
However, before you do send samples to avast to improve detection.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
-
Sorry.
I already removed the items and re-booted before I saw your latest post.
Still getting multiple instances of ashMaiSv and ashWebSv
Any additional ideas will be much appreciated.
Thanks,
Jay Gee
-
I think you have a serious threat somewhere,possibly a rootkit. I would run one, if not both, of the following.
http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130 (http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130)
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
I am not very familiar in the use of Combofix, but it is a very powerful, and useful program.
-
Using AVAST I terminated the web shield and the Outlook/Exchange modules and then rebooted. I thought that would keep ashMaiSv and ashWebSv from running. It did stop ashWebSv from running but ashMaiSv is still running 50 instances and there is no instance of ashWebSv running. Microsoft Security Center reports that "avast! antivirus 4.8.1335[VPS 090706-0]" is turned off yet taskmgr shows ashDisp.exe, 50 copies of ashMaiSv.exe, ashServ.exe and aswUpdSv.exe all running.
I tired to install combofix per a previous suggestion and, at the time it could not set a restore point so I terminated it for now. I will restart the System Restore and try again.
Thanks for all the great suggestions and support found here.
Jay Gee
-
Try the rescue cd, its scans your system without booting windows. It does not create a log, I think you would have to write down anything it finds
-
I must say ... I was overtaken by a sense of having been coerced into downloading some awful program and destroying my system when I clicked on the Thumbnail on the Avira Web page and a popup got past Firefox. That popup was about an evil looking game of some sort. It opened another Firefox tab and left it open but I was quick to close it out of fear. I must say I was EXTREMELY reluctant to boot their CD after I saw that. Then when I booted the Avira CD another evil looking cartoonish character appeared in the upper left corner of the screen. Nonetheless I did boot up and after about 10 seconds the evil little character disappeared. This is not a good way for Avira to give a very comfortable feeling about their product(s).
I have transcribed all of the information on the Avira screen below.
Below that are a couple of concerns that I have.
========================================
Items found by Avira Rescue CD:
/media/Devices/sda1/ComboFix/n.pif
ALERT: [HIDDENEXT/Crypted] /media/Devices/sda1/ComboFix/n.pif <<< The file contains an executable.
This however, is disguised by a harmless file extension (HIDDENEXT/Crypted) not removable
file renamed. (Avira did not say to what it was renamed.)
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files/Content.IE5/OTE30PE3/horoscopes[1].css
WARNING: archive not completely scanned: contents exceed 191397888 bytes
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files/Content.IE5/SI058REH/CADFBH79
WARNING: archive not completely scanned: contents exceed 191397888 bytes
/media/Devices/sda1/TEMP/ComboFix.exe
ALERT: [HIDDENEXT/Crypted] /media/Devices/sda1/TEMP/ComboFix.exe --> 32788R22FWJFW\n.pif <<< The file contains an executable.
This however, is disguised by a harmless file extension (HIDDENEXT/Crypted) not removable
file renamed. (Again, Avira did not say to what it was renamed.)
archive: /media/Devices/sda1/WINDOWS/system32/files.zip --> loader.exe extract error )ALL files in archive are encrypted.)
/media/Devices/sda1/WINDOWS/system32/files.zip
WARNING: archive not completely scanned: contents encrypted
/media/Devices/sda1/WINDOWS/system32/wh.exe
ALERT: [TR/Crypt.XPACK.Gen] /media/Devices/sda1/WINDOWS/system32/wh.exe <<< Is the Trojan horse TR/Crypt.XPACK.Gen
not removable
file renamed.
------ scan results ------
directories 14339
files: 689228
alerts: 3
suspicious: 0
repaired: 0
deleted: 0
renamed: 0
quarantined: 0
Warnings: 3
scan time:00:59:12
========================================
Do I need to be concerned about the two warnings where the files were supposedly too large to completely scan?
Personally I doubt that /...Local Settings/Temporary Internet Files/Content.IE5/OTE30PE3/horoscopes[1].css is greater than 191397888 bytes.
What about the archive that was not completely scanned because it was encrypted?
After rebooting I looked for the above items to see to what they had been renamed.
The first item /media/Devices/sda1/ComboFix/n.pif appears that Avira removed the "/n.pif" and it now appears as a folder in the root of the C:Drive with the same icon as "My Computer". When I click on the "plus" (+) next to it it opens up and appears the same as "My Computer" with the entire hierarchy down to but not including "My Network Places". I am afraid if I delete it it will wipe out my entire hard drive.
The second item:
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files/Content.IE5/OTE30PE3/horoscopes[1].css
is damaged also in that the hierarchy goes as far as
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files
then there is no Content.IE5 or anything below that.
When I right-click on Temporary Internet Files and click properties it reports that it is 432mb with 14,523 files AND 24 folders but I cannot see the folders. When I look at the files alphabetically the Content.IE5 is not in the list as a folder or otherwise.
Needless to say I cannot find the horoscope file or the other file?folder.
ALERT: [HIDDENEXT/Crypted] /media/Devices/sda1/TEMP/ComboFix.exe --> 32788R22FWJFW\n.pif
was found in the TEMP folder of the C:Drive (sda1) renamed to ComboFix.exe.XXX
archive: /media/Devices/sda1/WINDOWS/system32/files.zip
this file is dated 7/1/2009 at 1:03 AM and is only 20KB
I manually renamed it to files.xxx.zip.
ALERT: [TR/Crypt.XPACK.Gen] /media/Devices/sda1/WINDOWS/system32/wh.exe <<< Is the Trojan horse TR/Crypt.XPACK.Gen
This file was renamed to wh.exe.XXX and is dated 7/1/2009 at 1:03 AM and is 34KB
Obviously these two are related since they are dated the same and timestamped the same.
My biggest concern is with the ComboFix file/folder/My Computer or whatever it is.
The properties say it is 6.56 mb, contains 197 files and 1 folder.
I feel somewhat that it may be the ComboFix I downloaded yesterday and it gave a "false positive" to Avira.
BUT what do I do with it now?
By the way, I still have 50 instances of ashMaiSv.exe and NO instances of ashWebSv.exe.
When I restart avast detected an unauthorized modification to ashDisp and I was asked if i wanted to run it anyway.
I said no and thus, ashDisp is not running but ashMaiSv has 21 instances running in the first 5 minutes. Also, ashServ and aswUpdSv are running but no other ash modules.
Should I uninstall and reinstall AVAST again?
One piece of good news is that I no longer get the message that I am not authorized to shutdown or restart windows.
Thanks,
Jay Gee
-
Please do not worry about the game pop up, , its harmless. The second cartoon character, was possibly the linux penguin. I did not realise, but Avira does see Combofix as malicious.Its a heuristic find. Recommending, having both at the same time was a mistake, apologies.I would remove Combofix http://www.bleepingcomputer.com/forums/topic114269.html (http://www.bleepingcomputer.com/forums/topic114269.html)
Regarding the unexplained 6.56 mb, folder. What is in that folder ? Did you actually run Combofix,it could be back up files.
As for all those temp files, you could run Ccleaner http://filehippo.com/download_ccleaner/ (http://filehippo.com/download_ccleaner/) Do not install the Yahoo toolbar ( optional )
Regarding wh.exe, I'm not sure how serious a threat that was, prevx says system backdoor, others say adware. With what MBAM found ( C:\WINDOWS\system32\win32.exe (Backdoor.Bot) ) plus the AV2008, you seem to have had some bad stuff on board.
Personally I 'would' reinstall Avast, however, Its just my opinion, you still have something nasty lurking . Thats my opinion only
-
I did start ComboFix yesterday and it was unable to set a system restore point so I terminated it.
I think I have corrected the problem with system restore so I could try it again but it now looks "exactly" like "My Computer" in that if I click on the (+) sign next to it (in Windows Explorer) or double-click the name it opens up a tree structure beneath it that is "Exactly" the same as "My Computer" including the "ComboFix" name with no extension and another (+) sign. It is recursive down at least a couple more levels. I didn't want to go any further. I tried to rename it by putting a .xxx at the end but it still appears with the "My Computer" icon and nothing changes. Explorer still reports it as a folder with sub folders the same as "My Computer."
I am going to uninstall/reinstall AVAST and see what happens with ashMaiSv and ashWebSv and now ashDisp too.
Thanks
Jay Gee
-
Well i would assume Avira has wrecked Combofix, by renaming it , so please remove it. I should not have advised you to use it Removing Combofix may well remove that folder
-
What about the fact that the icon has my entire SYSTEM structure showing within it?
I am fearful that Explorer may interpret the delete command as all inclusive of the items therein and damage my system beyond repair.
Scared,
Jay Gee
-
Its only 6 mb in size, remove Combofix as suggested, and see if that folder is still there
-
Do you mean to use remove Combofix http://www.bleepingcomputer.com/forums/topic114269.html
you mentioned previously? That may not work at all now because it does not have a file extension except the renaming I did as.xxx.
Previously it was "ComboFix/n.pif " now it is just "ComboFix.xxx". Do you think I should try to rename it to n.pif and see if it will execute?
-
I would 'try' the removal method.However, I would not worry too much at this point, about Combofix or any folders its created. They are not the main concern. Your main concern is any malware still on your pc and the fact Avast is not working correctly.
-
I disagree with what you deem as my main concern because if Windows Explorer for some reason now reads the "ComboFix" "Folder" as having the same attributes as "My Computer" and it is recursive for at least 3 levels down ... i fear the loss of much more than just one folder. Remember, once it starts to delete everything, I can't stop it. Even if I power off the damage to FAT tables etc. already inflicted by the delete action may be unrecoverable. Does anyone know how to change the attributes of a folder back to a file?
By the way, the removal method recommended is to run ComboFix from the"Run box" with "Combofix /u". I don't think it will run when it appears as a folder. I will however give it a try.
Thanks,
Jay Gee
-
I attached an external drive and copied the Combofix folder to verify what Windows Explorer saw in the folder. As it copied over I saw that it was NOT going to delete everything in the system so I then deleted the folder from the C: drive. I was doing some research on TR/Crypt.XPACK.Gen to see what registry entries or changes it may have made that are keeping some functions from working in WIndows. I ran across "eXterminate IT!", downloaded it and ran it. The trial version will only detect and not remove any malware but it found c:\WIndows\PEV.exe, a Trojan with a Malware name of "Games Thief" A Google search yielded a site called prevx.com at the top and their site says this is also known as PEV.CFEXE, VFIND.EXE, SUS.VFIND.EXE.SUS, DC1.EXE, 54212433.EXE, 11464626.EXE and has varying file sizes. It was first seen in Mar 2009. Here is their list of behaviors for this.
File Behavior
PEV.EXE has been seen to perform the following behavior:
* The Process is packed and/or encrypted using a software packing process
* Executes a Process
* Writes to another Process's Virtual Memory (Process Hijacking)
* Uses low level functions to hide itself from the user and from system/security processes
* Found on infected systems and resists interrogation by security products
* The Process is polymorphic and can change its structure
PEV.EXE has been the subject of the following behavior:
* Executed as a Process
* Created as a process on disk
* Terminated as a Process
* Has code inserted into its Virtual Memory space by other programs
* Deleted as a process from disk
I realize I may grabbing for straws but is this possibly the reason ashMaiSv is appearing in my task list 50 times?
How do I send this to AVAST?
Jay Gee
-
I don't know if it is a possible reason for the multiple copies of ashMaiSv running but I would suggest sending this sample pev.exe to avast.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
-
I'm very happy you sorted that folder out. Regarding Exterminate-it, I,m very wary of unknown programs that find threats, then want money to remove them.There site is not seen favourably by WOT http://www.mywot.com/en/scorecard/exterminate-it.com (http://www.mywot.com/en/scorecard/exterminate-it.com) However please send Pev.exe to virus total. You could also upload wh.exe or wh.exe.xxx, to see what kind of virus it was.
If you wish here are some scanners that will remove malware
DrWeb Cureit ( standalone tool ) http://www.freedrweb.com/cureit/ (http://www.freedrweb.com/cureit/)
Trend Micro online scanner http://housecall.trendmicro.com/ (http://housecall.trendmicro.com/)
Also strongly recommended SAS http://www.superantispyware.com/ (http://www.superantispyware.com/)
If you don't mind could you please download HijackThis and run it. A scan will take 10 seconds. Choose ' scan and save a logfile ' and copy/paste the txt log here.Thank you http://filehippo.com/download_hijackthis/ (http://filehippo.com/download_hijackthis/)
-
Okay, here is the link to the Virus Total permalink ... the file was named PEV.xxexexx when I uploaded it.
I had booted into windows in safe mode and moved the file from it's original location in C:\Windows to c:\Program Files\Alwil Software and changed the extension to xxexexx. I thought that would make it available to move to the chest and send to AVAST but the chest is READ only and I cannot change it for obvious reasons. Also, when I try to add it to the chest the ADD is greyed out. I did email it to virus@avast.com as instructed.
I am emailing files.zip.xxx, formerly files.zip and wh.exe.xxx to virus@avast.com with a reference to this forum topic.
I uninstalled AVAST again today and reinstalled it after the above mentioned bad guys were renamed and I still have the 50 instances of ashMaiSv and ashWebSv.
Thanks for your replies,
Jay Gee
-
Can you post the Virustotal results for wh.exe.xxx
I think Pev.exe is from Combofix, sorry http://forums.majorgeeks.com/showpost.php?s=3df47d211052f014e8b085ce8199ae0d&p=1349259&postcount=4 (http://forums.majorgeeks.com/showpost.php?s=3df47d211052f014e8b085ce8199ae0d&p=1349259&postcount=4)
Can you post the HJT log ?
-
See the Virus Total report here for wh.exe.xxx
http://www.virustotal.com/analisis/936d276fbcebbc0e2cd686636f8bd208206750245bfcf8adfd30a08a53298cb4-1247156325
See the Virust Total report here for files.xxx.zip
http://www.virustotal.com/analisis/d892d9e42930861aebda760eea290250b763e27dd5d86d607a926414b3b6f545-1247156756
I was browsing around c:\Windows and found the following files that were all created on my system on 20090707 at 9:52 am, just 2 days ago ... these make me nervous and I am trying to research them now. I deleted them to the recycle bin for now.
NIRCMD.exe
sed.exe
SWREG.exe
SWSC.exe
SWXCACLS.exe
zip.exe
grep.exe
Any input would be appreciated.
Thanks,
Jay Gee
-
This is getting silly, NIRCMD.exe is from Combofix ,swxcacls.exe is from smitfraudfix, swreg.exe is from sdfix,( as is grep.exe ) etc etc. It would be best if you let anti malware scanners, do the job for you.
Actually I'm done here, best of luck
-
I appreciate your position and I truly appreciate all your guidance throughout this mess. I have been using Virus Total to check some of these files and 3 of them are reported as suspicious especially NIRCMD.
My point is that different malware scanners see things differently and I don't know which one(s) to trust.
I have not had the chance yet to download HJT but will later and then send the report.
Please understand that I am not trying to be a pain ... I am only trying to get rid of any malware and to get AVAST to work with only one copy of the aforementioned modules running at a time. Believe me I am just as frustrated with this problem as you are frustrated with me.
I apologize if I have somehow rubbed you the wrong way.
Thanks,
Jay Gee
-
You have absolutely nothing to apologise for. You have obviously been running many anti malware tools, some of which other programs, see as malicious.( as you, and I, have learned, with Combofix and Avira) I wish I was more qualified to help you, I hope you sort your problem out.
-
When I discovered the files you say are part of Combofix I also discovered a file that was created at the same instant as the wh.exe and the files.zip that we discussed earlier. The file is named 715219c8b97e6ab3972c8ff73348b4c1 and 15 minutes ago it was 0kb. Now it is 2kb. I cannot delete it because it is in use by another user or process.
I just tried to post the HJT log but it exceeds 10000 characters so I will have to break it into two pieces.
Here is the first part:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:33 PM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\aloha\FTP\alohas.exe
d:\Aloha\vbo\bin_10.1.77.777\ATDDB.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Aloha\bin\Ctlsvr.EXE
C:\Program Files\DynDNS Updater\DynUpSvc.exe
d:\Aloha\bin\Edcsvr.EXE
d:\Aloha\vbo\bin_10.1.77.777\GCLegacy.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
D:\aloha\ftp\PollCheck.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
D:\Aloha\vbo\BIN_10~1.777\HRSocket.exe
D:\Aloha\vbo\BIN_10~1.777\VBODiag.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Part two to follow.
-
Part two.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=0&siteState=ver%3a4%7crt%3aSTANDARD%7cac%3aWS%7cat%3aSNS%7cld%3awebmail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aAOL%7csnt%3aScreenName&offerId=mail-second-en-us&seamless=novl&xchk=false
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exxe
O4 - HKLM\..\Run: [WinVNC] "d:\Aloha\rdf\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HRSocket] d:\Aloha\vbo\BIN_10~1.777\HRSocket.exe
O4 - HKLM\..\Run: [VBODiag] d:\Aloha\vbo\BIN_10~1.777\VBODiag.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DynDNS Updater Tray Icon.lnk = C:\Program Files\DynDNS Updater\DynTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D855CE2-0433-4364-849B-41DBBD5D2CE1}: NameServer = 209.84.253.11,209.84.253.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = eagletel.us
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D855CE2-0433-4364-849B-41DBBD5D2CE1}: NameServer = 209.84.253.11,209.84.253.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = eagletel.us
O23 - Service: AlohaFTP (ALOHA) - Ibertech, Inc. - D:\aloha\FTP\alohas.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Aloha Durable Messaging Service (ATDDB) - Radiant Systems - d:\Aloha\vbo\bin_10.1.77.777\ATDDB.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CtlSvr - Radiant Systems, Inc. - d:\Aloha\bin\Ctlsvr.EXE
O23 - Service: DataSvr - Unknown owner - C:\Program Files\Wave Systems Corp\Common\DataServer.exe (file missing)
O23 - Service: DynDNS Updater - Dynamic Network Services, Inc. - C:\Program Files\DynDNS Updater\DynUpSvc.exe
O23 - Service: EdcSvr - Radiant Systems, Inc. - d:\Aloha\bin\Edcsvr.EXE
O23 - Service: Aloha GC Legacy Interface (GCLegacy) - Radiant Systems - d:\Aloha\vbo\bin_10.1.77.777\GCLegacy.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radiant Heartbeat (PollCheck) - Radiant Systems - D:\aloha\ftp\PollCheck.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - d:\Aloha\rdf\WinVNC.exe
--
End of file - 14103 bytes
-
You seem to have several instances of Norton/Symantec AV running on your pc, DavidR mentioned this first off. Did you run the removal tool he suggested http://forum.avast.com/index.php?topic=46553.msg391316#msg391316 (http://forum.avast.com/index.php?topic=46553.msg391316#msg391316)
Are you running two AV's ?
-
The tool that was suggested required the knowledge of what version of Norton/Symantec had been installed. I do not recall what version or even what year exactly it was removed. The remnants are not really remnants. The CCAPP is common code for symantec applications that are still installed, ie: Ghost for automatic backups, liveupdate for all symantec products and pcAnywhere.
The file I pointed out earlier c:\Windows\715219c8b97e6ab3972c8ff73348b4c1 (no extension) appears to be intercepting/capturing credit card transaction information from the Point of Sale system into the above named file, hence it grows as the day progresses, and saving the file once a day at exactly 10:00 am (the next morning) as .txt files in c:\Windows. I found one for each day beginning on July 1, the date that wh.exe first appeared. The July 1 file had no data in it because the POS/credit card app was not running when the wh.exe arrived at 1:03 am. Every day since it has saved the files as S20090702.txt, S20090703.txt etc. and the file attributes are "System and Hidden". The POS application does not save any files to C:\Windows. In fact, all it's data is on another physical drive.
Each transaction has a transaction number, terminal number, "HLD", CC number, Exp date, and amount.
Each as a line of text in a text file format. I was able to open the file with notepad.
Perhaps the hacker knows something about the POS software and is searching for the HLD character sequence!
Any more assistance is greatly appreciated.
Thanks,
Jay Gee
We are now officially in panic mode to stop this. Will be back on it in 11.5 hours from now.
-
I would run the Norton removal tool, regardless of what version you had. You initially said Avast removed 3 trojan related finds, MBAM removed a backdoor bot,Avira removed wh.exe ( we still do not know how serious that was ) You still report suspicious activity, and use the pc for business.
All i can suggest you try more scanners,( scanning any external drives too ) and report any findings.
If I was in your position, I would not hesitate, to restore the pc to a clean image.If you have one, I assume you have, ( norton ghost ) pre July 1, the date that wh.exe first appeared
Here are a list of various scanners, some will find and report parts of the un-removed combofix, and possibly the other tools you used ( sdfix, etc )
Anti virus scanners http://housecall.trendmicro.com/ (http://housecall.trendmicro.com/)
http://www.freedrweb.com/ (http://www.freedrweb.com/)
http://www.kaspersky.co.uk/virusscanner (http://www.kaspersky.co.uk/virusscanner) ( will not remove malware )
http://www.eset.com/onlinescan/ (http://www.eset.com/onlinescan/)
Anti Spyware http://www.superantispyware.com/ (http://www.superantispyware.com/)
Anti rootkit http://filehippo.com/download_rootkit_revealer/ (http://filehippo.com/download_rootkit_revealer/) ( Does not remove )
http://majorgeeks.com/Sophos_Anti-Rootkit_d5238.html (http://majorgeeks.com/Sophos_Anti-Rootkit_d5238.html)
http://www.trendmicro.com/ftp/products/rootkitbuster/RootkitBuster_2.52.1013.zip (http://www.trendmicro.com/ftp/products/rootkitbuster/RootkitBuster_2.52.1013.zip)
-
It took me 7 1/2 hours but today I downloaded SysInternalsSuite at http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
and with the ProcMon program was able to isolate that c:\Windows\715219c8b97e6ab3972c8ff73348b4c1
was being updated everytime a Credit Card transaction was processed by a module called ramsys32.sys. I could not find it a reference to it anywhere by a Google search so I moved it to another folder from C:\Windows\system32. Subsequently, I saw a module in the Process Tab of ProcMon that referred to another .sys file that did not exist in the folder it pointed to. However, in browsing the referenced folder I found another module called catchme.sys. This booger WAS found in a Google search. I ran it through Virus Total and only McAfee had anything to say about it.
McAfee-GW-Edition 6.8.5 2009.07.10 Heuristic.BehavesLike.Win32.Rootkit.L
I moved it to another folder and rebooted. Suddenly everything seems fine.
The c:\Windows\715219c8b97e6ab3972c8ff73348b4c1 has not come back or appeared with another name of similar length and attributes. Also, none of the processes in the taskmgr list say User Name Unknown.
While this monster was residing in the system no one was able to login via RDP and suddenly we can again.
Lastly, Norton Ghost was reporting that the trial period had expired. We have a paid subscription that suddenly is "not expired" anymore.
I just reinstalled AVAST and I no longer have multiple instances of ashMaiSv and ashWebSv running much less 50.
Thanks to micky77 for patience and all the assistance.
Regards,
Jay Gee
-
If you moved it to a different folder and avast doesn't detect it then you should send the sample to avast to improve detections.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
-
I just reinstalled AVAST and I no longer have multiple instances of ashMaiSv and ashWebSv running much less 50.
I'm so glad you sorted your problem out, well done to you. Hope you have no further problems. If i get a problem with my pc, I'm coming to you for help :)
-
David R,
I did send the rascals to AVAST via email and the chest.
Micky77,
If nothing else I am very persistent and can't stand it that people out there feel some sense of joy or some twisted satisfaction from doing this type of thing to others.
What ever happened to "Do unto others as you would have them do unto you?"
Regards,
Jay Gee
-
I can see you're running Aloha, so this is on a POS system. You should get a POS technician.
I would NEVER return to Aloha by Radiant though... ChikPOS has been fantastic. I've had NO problems with it whatsoever. It's a Jeremy Shum Invent so its a quality Aussie product too - helping the economy. The features are also endless... multi-language support, managerial decision making reports, not locked to hardware, fully multi-touch (like iphone), external monitor support, xbrl compliant, auto-generation of online store, can advertise "related products", corporate chat support, show time/date/news on external screen... it's just top stuff. AND it's Windows 7 compatible!