Author Topic: Virus? (Read 2985 times)

wootie · « **on:** August 09, 2006, 02:58:38 AM »

Hi,

A few weeks ago i've reinstalled my Windows XP Pro SP2.
I made all update & installed back my software.
Since a few hours the Avast icon has dissapeared and so the icon of Ultramon & Creative Labs...
I tried to put it back those thru the registry and it worked fine one time and then dissapereared again.
It's like some malicious software is removing all entries in the registry "microsoft->windows->currentversion->run".
Also i run tcpview from sysinternal and it seems that my computer try to establish a link to IP 209.190.29.130:80 thru a system process.
I ran Avast manually with all update but didn't find any virus ...
Does someone knows what happen ?

Thx

Yves

Ps : i made a screenshot of the TCPView

Lisandro · « **Reply #1 on:** August 09, 2006, 03:10:55 AM »

Quote from: wootie on August 09, 2006, 02:58:38 AM

It's like some malicious software is removing all entries in the registry "microsoft->windows->currentversion->run".

Do you use WinPatrol, PrevX, TeaTimer (of Spybot), Ad-watch or any other startup monitor?

Quote from: wootie on August 09, 2006, 02:58:38 AM

I ran Avast manually with all update but didn't find any virus ...

Try trojan removers: a-squared, ewido or Spyware Terminator.

Quote from: wootie on August 09, 2006, 02:58:38 AM

i made a screenshot of the TCPView

Well, ashMaiSv.exe is the mail scanner of avast... (Is it this one? http://forum.avast.com/index.php?topic=19794.0;topicseen)
Are you checking email? Do you use any spam tool?

wootie · « **Reply #2 on:** August 09, 2006, 03:29:20 AM »

Well .. i run nothing @ startup right now... No Spyware Removal tools ....
Fact is that when i add a line in the registry telling to get the icon of avast in my toolbar after reboting are my registry entries empty!.

I was just wondering why my computer try to establish a link to 209.190.29.130:80 & 66.249.85.99.

I look to me like something like a rootkit or something like that...

Further when you call http://209.190.29.130 it goes to a really "bizarre" page...

Yves

Spiritsongs · « **Reply #3 on:** August 09, 2006, 05:37:53 AM »

Hi Yves :

If you suspect a rootkit, the best place to get help is :

http://www.castlecops.com/f233-Rootkit_Revelations.html

66.249.85.... may be a CWS site; I checked 209.190.29....
at "Webhelper" s site but it was not listed ( yr 2004 ) .

wootie · « **Reply #4 on:** August 09, 2006, 11:35:39 AM »

Thx
I'll check castlecops.com
I let you know what i find.

Thanks,
Yves

wootie · « **Reply #5 on:** August 09, 2006, 01:13:52 PM »

I went thru windows restore.. made some restore from 2 days ago and the connection dissapeared..
And my registry seems to be fixed..

Thx for the help
Yves

Author Topic: Virus? (Read 2985 times)

wootie

Virus?

Lisandro

Re: Virus?

wootie

Re: Virus?

Spiritsongs

Re: Virus?

wootie

Re: Virus?

wootie

Re: Virus?