Author Topic: avast itself infected?!  (Read 13286 times)

0 Members and 1 Guest are viewing this topic.

soul

  • Guest
avast itself infected?!
« on: October 24, 2006, 08:57:59 PM »
Gentlepeople, i'm not sure where to post this, so i hope someone can direct me to the right forum if this isn't it - thank you for your patience! as well as for any help you can offer.

about two weeks ago i was talked into upgrading from windows98 to windows 2000, and have been having a real hard time with trojans, virusses and so on ever since.  a few days ago i started having problems with my internet connection collapsing within about thirty seconds every time i try to go on line; yesterday a helpful friend decided the best idea was to install Avast for me to replace my  Norton AV.  (he removed the Norton stuff using just the "remove software" routine  - i later downloaded/ran that Norton removal program to make sure it's all genuinely gone); the version of Avast he installed identifies itself as the 4.7 Home Edition (Polish-language version). 

this did allow me to maintain an internet connection (say hallelujah!) but when it was running the first scan (in safe mode) Avast identified part of *itself* as infected and quarantined two of its own files.  is this normal?? 

i still have Avast installed, and it's alerting me with distressing regularity that it's finding bugs, so i reckon it's still functioning, but when i run Highjack This, it pinpoints two Avast services and notes "file missing", which makes me uneasy.

so i want to uninstall this version of Avast and reinstall it (in an English-language version - the "change program" routine doesn't work: it keeps telling me English is unavailable even though i've downloaded the English files twice), but i've been having so many problems that i'm hesitant to do that without getting some expert advice first on the best way to proceed.  (for example: will doing the "remove software" routine be enough to uninstall the old one before i install the new one, or do i need to take some extra steps as well?)

also: i want to go through the "general cleaning instructions" someone kindly posted on another thread in this forum: http://www.wilderssecurity.com/showthread.php?t=50662
but since a few of them are specified as being for XP and i'm using 2000, i would deeply appreciate help locating procedures/removal tools suitable for windows 2000.   

i do already have an updated Ad-Aware, and all the current Microsoft updates ...
thanks very much indeed for any help/advice/insights you could offer.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: avast itself infected?!
« Reply #1 on: October 24, 2006, 09:37:09 PM »
Hi soul,

Do you have a firewall? I believe Win2000 doesn't have one. If you don't have a firewall, your computer will be open to attack.

Which files did avast! detect as infected? Can you remember?

Don't worry about the 'file missing' thing in HijackThis! It's normal, and the files are not really missing.

If you could post the HijackThis! log, that would be really useful.

a-Squared Free will run on Win2000, I think:

http://www.emsisoft.com/en/software/free/

DrWeb CureIT! too:

http://download.drweb.com/drweb+cureit/

Uninstalling avast! and reinstalling the version you want should work.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

soul

  • Guest
Re: avast itself infected?!
« Reply #2 on: October 24, 2006, 10:50:42 PM »
thank you very much indeed, Frank - i'm appending a fresh Highjack This log below; meanwhile, to try to answer your questions (and to add a couple of new ones of my own):

~ i did briefly install a trial version of Norton Personal Firewall, when all this trouble started, but [a] it caused my computer to run unbearably slow, and my helpful friend who installed Avast instead of the Norton stuff told me Avast *is* a firewall.  i take it that's not quite right. 

~ i'm not sure it's the same infected file it found in itself before, but i just ran another Avast scan (thorough/safe mode) and it said it couldn't quarantine one that it had found in its own "move" file:
C:\Program Files\Alwil Software\Avast4\DATA\moved\psexec.exe.vir

not knowing what else to do, i chose the "move/rename" option; after that the "scanner status" thing read: Infected.  i didn't like that, so i stopped the scan; the log said it had moved that psexec.exe.vir to the "move" file (where it was to begin with); and also noted:
C:\Documents and Settings\SSSOUL1\...\Flash9.ocx  "unable to scan"

there seemed to be more to the entry, but it was beyond the "margins" of the log.
(is it normal that after i've had Avast move/rename something, there's nothing in the "moved" folder?  and is the "move/rename" option the right one to choose, when the quarantine fails?  it's not very clear from the interface what that accomplishes.)

~ since my previous post, i tried to download the Avast Virus Cleaner and some of the software recommended on that "general cleaning instructions" page, but *all*  the links came up as "unable to load" or just blank.  i'm hoping that was just a temporary fluke (or maybe because i'm using Firefox?  i know a lot of pages require IE, which i try to avoid using) but it seems worth noting in case it means something ominous.

~ i will try to download those two tools you mention - or do they both do the same thing?  that is: do i need them both, or will they conflict with one another, or ... ?  sorry if i'm being overcautious but it's been that kind of week.  :]

thank you thank you for taking an interest; now here's that Highjack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:21:35 PM, on 2006-10-24
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\csrss.exe
C:\WINNT\lsass.exe
c:\winnt\system32\microsoft\user\FireDaemon.EXE
c:\winnt\system32\microsoft\user\dll39.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\sistray.EXE
C:\WINNT\system32\khooker.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Wanadoo\taskbaricon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus - welcome to the Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Wanadoo\taskbaricon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160640790354
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160657231421
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Us3uga administracyjna Mened?era dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\csrss.exe
O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe
O23 - Service: FireDaemon Service: MSVC9 (MSVC9) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: FireDaemon Service: QOS (QOS) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: SmartLinkService (SLService) -   - C:\WINNT\SYSTEM32\slserv.exe

 

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Re: avast itself infected?!
« Reply #3 on: October 25, 2006, 12:20:13 AM »
Here is an on-line analysis of your log file, you don't appear to have an active firewall, this can make cleaning your system an uphill battle http://hijackthis.de/logfiles/607ca613a474c1234bb00764cdf9b55f.html.

There are several Nasty items that (may) need fixed, see the additional information in the on-line analysis.

C:\WINNT\csrss.exe (not in normal location)
C:\WINNT\lsass.exe  (not in normal location)

O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\csrss.exe
O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

You should check out the possibly nasty, unknown file names using google and if you up load your log file contents to the site after the analysis there is a paper clip icon so you can upload suspect files to be scanned.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mouniernetwork

  • Guest
Re: avast itself infected?!
« Reply #4 on: October 25, 2006, 01:32:17 AM »
Yes, also you should do further test on the following:
c::\winnt\system32\microsoft\user\dll39.exe
C:\WINNT\system32\MSTask.exe - This one especialy C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\sistray.EXE
C:\WINNT\system32\khooker.exe
C:\WINNT\system32\internat.exe - As well as this one

The two I pointed out seem very malicious to me so you might want to check Virustotal:
http://www.virustotal.com/en/indexf.html

Hope this helps

Al968

soul

  • Guest
Re: avast itself infected?!
« Reply #5 on: October 25, 2006, 01:47:33 AM »
thank you both very much indeed - i'm very grateful to you for taking an interest. that analysis is very helpful, and i appreciate your insights.

some of the suspicious ones - the ones with "wanadoo" in the name - are my server's stuff, but i'll try to find out from them what they do and which are actually necessary.  a couple of the other suspicious ones may look weird because they're using Polish terms, but i'll do my best to doublecheck everything you've pointed out as being weird.  thank you.  one thing i'm not sure i understand: if i want to upload files to be analyzed, where do i do that?  (sorry to be obtuse - it's way past my bedtime!)

but meanwhile i've installed a Zone Alarm firewall and hope it'll help some; i've also downloaded most of the tools recommended on that "general cleaning tips" page i mentioned earlier, and will run them after i get some sleep.

one last question before i fall asleep, though: is it recommend to keep the Avast "resident protection" running all the time, even now that i have this Zone Alarm  firewall? 

thanks so much again for your very kind interest and help.
 

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Re: avast itself infected?!
« Reply #6 on: October 25, 2006, 02:24:53 AM »
Both are essential a resident AV (I never pause or disabe them, you might forget to enable them) and an active firewall.

Welcome to the forums and goodnight, I'm heading in that dirrection too it is almost 1:30 a.m.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mouniernetwork

  • Guest
Re: avast itself infected?!
« Reply #7 on: October 25, 2006, 03:23:46 AM »
Dear Soul:
I did some research of my own and it turns out you have infostealer.Netsnake.
Obviously its malware so what you can do is the follwoing:
1.) Zip the file c:\winnt\system32\internat.exe (the malware) 2.) Add the password "virus" to it
3.) Send it to virus (at) avast (dot) net
4.) Then you can send me an email so that I can send you a removal tool.
My adress is nortonsucksstinks (at) yahoo (dot) com  ;D ;D ;D

Hope this helps

Al968

P.S: Don't forget to return the favor and send to avast so that other people won't get infected.  8)

Spiritsongs

  • Guest
Re: avast itself infected?!
« Reply #8 on: October 25, 2006, 06:50:50 AM »
 :) Hi "Soul" :

     First off, those "General Cleaning Instructions" of the
     Wilderssecurity thread are 2 yrs old; now there are better
     programs to use.
     2nd : Most of the programs I know that are XP "oriented"
     still are "compatible" with Win 2000 .
     3rd : now that you have an antiVIRUS program and a
     firewall, you should have a GOOD & FREE antiSPYWARE/
     antiTROJAN program . You mentioned Ad-Aware; however,
     it is NOT listed anywhere in your HijackThis log. I have
     this program AND the FREE version of "SUPERantispyware"
     from www.superantispyware.com; this latter program is
     VERY GOOD & I recommend you get it.
     Lastly, I hope you realize that Microsoft "Support" for
     Win 2000 ended Oct 10 and they will issue no more
     Updates .

soul

  • Guest
Re: avast itself infected?!
« Reply #9 on: October 25, 2006, 09:35:45 AM »
thank you all for taking an interest! i am deeply grateful.

Al968, i will do my best to follow your instructions for submitting the internat.exe file to avast - that's been on my computer since i first got it, and i thought it was part of an MS package that enables languages like Polish.  but if it's some kind of shady character of course i'll be glad to turn it in.

Spiritsongs, thanks for clarifying that those "general cleaning instructions" are somewhat outdated.  i believe Ad-Aware doesn't show in the Highjack This log because it wasn't running at the time - but i'm very used to being wrong about these things, so if that's not the way it's supposed to work i hope someone will set me straight. 

also i will very gratefully try the ""SUPERantispyware" you've recommended - could you perhaps advise me which of the tools i've downloaded that one would replace?  one thing i think i've learned this last week is that it's not always a great idea to have too many of these tools at the same time.  in addition to Ad Aware, i've just dwnloaded free versions of:

~ a fresh English-language version of Avast (installed/running)
~ Zone Alarm firewall (installed/running)
~ AVG Anti-Spyware 7.5 (installed/running)
~ Spybot (installed but not yet run)
~ Stinger (installed but not yet run)
~ CW Shredder (installed but not yet run)
~ VX2finder (installed but not yet run)

from earlier in this effort to clean up i also have Smitfraudfix, Vundofix, Look2Me Destroyer and FxSplL2Me. 

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: avast itself infected?!
« Reply #10 on: October 25, 2006, 10:14:34 AM »
The files you noticed in the 'moved' directory were not avast! files. avast! puts malware into the moved directory (where they cannot be started)- in Win2000, during a scan in safe mode I suspect. Scanning in normal mode will detect the files again, and this time move them to the chest.

As you have had some trouble downloading anti-malware programs, I suggest you check you hosts file, and reset it if you find any suspicious entries- malware often uses the hosts file to block downloads.

http://en.wikipedia.org/wiki/Hosts_file

You can safely use a-Squared alongside avast! I recommend you download it, install and update it and run a scan as a double check- it checks for malware- worms, Trojans, spyware etc.

CureIT! is a stand alone malware cleaner- download it and run it to check for and clean infections. It doesn't conflict with avast!

When you've run these two (and the comprehensive list of anti-malware programs you've downloaded) please post another HijackThis! log so we can check you are clean.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

soul

  • Guest
Re: avast itself infected?!
« Reply #11 on: October 25, 2006, 11:05:37 AM »
thank you all for the great input - i truly appreciate you!
and i'm sorry to have to bother you for help in zipping that internat.exe file in order to submit it as Al968 requested.  i've located it in the system32 folder, rightclicked and selected WinZip -> add to zip file - is that the right thing to do?  (i was also pondering the "zip & email" option, but since i use only online email and [as far as i know!] i don't have [or want] any email software enabled on my computer, so i'm not sure i'll be able to use the "zip & email" option.)
Winzip then proposes adding an archive to the system32 folder - is that what i want it to do?  or can i chose to have it put this archive on my pulpit instead, so i can locate it easily when i go to attach it to an email?
sorry again to be so obtuse - i just don't want to mess things up even more by making wrong guesses about the proper procedures.   

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Re: avast itself infected?!
« Reply #12 on: October 25, 2006, 02:51:51 PM »
You won't be able to use zip and email because that doesn't password protect the attachment, it is then likely to be detected on route (by other mail servers anti-virus scanners and deleted) to the avast mail server and not received.

When you select (highlight) the file add it to an archive, in the window that pops up you can give the archive (zip) a name and also select the location it will be saved, choose a temporary folder that you can find later. Once you create the archive you should then be able to password protect it. I'm sorry I can't be more detailed as I haven't used winzip for a long time as I prefer 7zip.

Or you can send it from the virus chest. You don't want it in the system32 folder anyway, so you can open up the virus chest and from the User Files section, select, File, Add, and navigate to the file (see image). Once you have it in the User Files section of the chest you can right click on the file and select email to Alwil Software, that process will pop-up a window where you can give some details about an undetected sample, this processes also takes care of the attachment which will be encrypted.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

soul

  • Guest
Re: avast itself infected?!
« Reply #13 on: October 25, 2006, 08:18:38 PM »
thank you, DavidR - i will try to send in that suspicious file the way you've described.

meanwhile, i've run all these gizmos in safe mode, in the order listed:

~ Avast (which found 7 nasties, but i don't know where to locate the log);
~ Stinger (found nothing);
~ AVG/ewido (found 20 infected objects, listing these problems: Trojan.Dialer.qy, Trojan.Zapchast.au, Trojan.Zapchast, Backdoor.Sd.Bot.atz and .aad, Worm.Randon.am, Trojan.NoShare.K and Backdoor.Zapchat);
~ Spybot (found one problem (Alexa-related);
~ Ad-Aware (found 7 negligible object);
~ CWShredder (found nothing);
~ VX2Finder (its report was rather cryptic but since no file names were listed i guess that's good)

my fresh Highjack This log is below - i'll try to figure out how to submit it to that very cool analysis site you directed me to last night.  i do have a couple of questions about it, though:

~ do i understand right that it's okay for me to go ahead and remove some of the oddities like those multiple IE "main pages" that aren't what i set as my home page in IE (which i never use anyway, if i can help it)?

~ i asked my server's "support staff" about those Wanadoo entries.  depending on who answers the phone, those either are or aren't associated with the server/modem; they either are or aren't important and necessary; and they either were or weren't on my computer already when i installed their programming.   8)  so ... shall i go ahead and try eliminating them to see if anything dire happens?

once again: multi-thanks for all your great input. 

Logfile of HijackThis v1.99.1
Scan saved at 7:56:37 PM, on 2006-10-25
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\winnt\system32\microsoft\user\FireDaemon.EXE
c:\winnt\system32\microsoft\user\dll39.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\sistray.EXE
C:\WINNT\system32\khooker.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Wanadoo\taskbaricon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rollingstones.com/members/login.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus - welcome to the Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Wanadoo\taskbaricon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O15 - Trusted Zone: www.iorr.org
O15 - Trusted Zone: http://www.rollingstones.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160640790354
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160657231421
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{7B0406B9-DC57-4A74-BF16-DD91EC23D6CE}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Us3uga administracyjna Mened?era dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Generic Host Process for Win32 Service - Unknown owner - C:\WINNT\csrss.exe (file missing)
O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe (file missing)
O23 - Service: FireDaemon Service: MSVC9 (MSVC9) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: FireDaemon Service: QOS (QOS) - Unknown owner - c:\winnt\system32\microsoft\user\FireDaemon.EXE
O23 - Service: SmartLinkService (SLService) -   - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Re: avast itself infected?!
« Reply #14 on: October 25, 2006, 08:40:07 PM »
Those were in my previous post that should be fixed immediately as I can see no earthly reason why a start page should be referencing an htm page in your systems folder other than malware (why an htm page should be there is another anomaly, other than to try to prevent you from removing it).
I assume this is your Homepage R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rollingstones.com/members/login.php. The other R0 and R1 entries unless you specifically created them should go.

You still haven't fixed all those items I flagged in my previous post http://forum.avast.com/index.php?topic=24464.msg200540#msg200540 they are still in the current HJT log.
I don't thing the wanadoo entries are of a concern

You just visit the page (http://hijackthis.de/index.php) and paste the contents of the log file into the input window in the same way you did for pasting them into the Post. What you should do in the future when generating your hijackthis log is shutdown any non essential applications, this will reduce the amount of data to check.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security