Author Topic: Suspicions of virus activity  (Read 11684 times)

0 Members and 1 Guest are viewing this topic.

caroln

  • Guest
Suspicions of virus activity
« on: January 10, 2007, 03:51:42 PM »
I have a PC I have just upgraded to XP SP2.  The PC is a Pentium 4 CPU 2.66 GHZ with 128 Mb RAM.  I am running avast, spybot, and Ad-Aware.  Bootups are slow, which I am sure will be corrected by more memory.  The issue which concerns me is that avast comes up in the system tray with a red x and I get a message that "No firewall is turned on."  These both go away if I wait, and if I go to control panel to check the Windows firewall settings, it says that it is on.

I have run avast in safe mode with the internet cable unplugged and it comes up clean.  Spybot, run from regular Windows, also comes up clean, as does Ad-Aware.

I have never seen avast come up with the red x.  Is this normal?

caroln

  • Guest
Re: Suspicions of virus activity
« Reply #1 on: January 10, 2007, 04:40:53 PM »
I have also updated Avast and run it as a boot scan.  It says I'm clean.  I can load and run Hijack if there is somebody here who can interpret it.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Suspicions of virus activity
« Reply #2 on: January 10, 2007, 05:14:18 PM »
Quote
I can load and run Hijack if there is somebody here who can interpret it.

I'm sure they'll be somebody around who can do that for you.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

caroln

  • Guest
Re: Suspicions of virus activity
« Reply #3 on: January 10, 2007, 10:17:15 PM »
To clarify, I guess my eyes are not too good.  The avast system tray icon comes up with a red circle with a line through it appearing on the lower left corner of the icon.  It does go away if you wait.  The message about no firewall comes up sometimes, but not all the time.   As I said, I am not sure if this occurs just because of a small amount of memory, or if something is sneaking in there before avast can run.  I'd appreciate any help you can give.
Thanks!
Carol

The Hijackl This log is:
Logfile of HijackThis v1.99.1
Scan saved at 3:54:12 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168135590953
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)



The Silent Runners log is:
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


I'll post the rest in the next window.

caroln

  • Guest
Re: Suspicions of virus activity
« Reply #4 on: January 10, 2007, 10:18:42 PM »
Continuation of Silent Runners log

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 29 seconds.
---------- (total run time: 71 seconds)

Thanks!

galooma

  • Guest
Re: Suspicions of virus activity
« Reply #5 on: January 10, 2007, 10:48:57 PM »
your log looks ok   ;)
the main concern i would have is getting some more ram into it.

I presume you are running a Dell machine. If thats the case and you wish to regain some of its processing power away from all the preinstalled stuff that usually comes from Dell , this might interest you http://www.yorkspace.com/pc-de-crapifier/

Good luck  :)

caroln

  • Guest
Re: Suspicions of virus activity
« Reply #6 on: January 10, 2007, 11:36:09 PM »
Thanks a bunch for all you help!
Carol

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Suspicions of virus activity
« Reply #7 on: January 11, 2007, 12:11:56 AM »
avast gets running pretty quickly so should ready to protect, early too.

It is best to have HJT in a folder that isn't a temp location (which could be cleaned, losing any backed-up entries if you had to fix anything) c:\HJT or any permanent HDD location..

Your log file looks clean, probably one of the smallest I have see in a while, an on-line analysis highlights firewall protection.
Quote
We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
Since you are getting an alert the firewall isn't on, go the Control Panel, Windows Firewall and ensure it is on.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

- Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Sunbelt Kerio, Jetico, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml

I haven't used silent runners before but the data doesn't seem to have anything untoward.

Take care with Spybot's TeaTimer start-up protection it could eat the avast icon, ashDisp.exe.

Increasing the RAM would make a huge difference to your overall system performance as 128 MB is considered the absolute minimum for XP when you start adding other applications that start on boot they have overheads also, 256MB would be adequate, 512MB would be good and 1GB great. RAM is relatively cheap, however, having a Dell they don't like you upgrading much and to send it to them would be costly.

Your local Tech/Computer store should be able to upgrade RAM and unlike many Dell parts I don't believe this is a proprietary part and should be user upgradable. You could call them to check.

You should urgently think of upgrading RAM if you were to install a 3rd party firewall before upgrading RAM the system would be even slower.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

caroln

  • Guest
Re: Suspicions of virus activity
« Reply #8 on: January 11, 2007, 03:01:22 PM »
Thanks DavidR.
I was wondering why I kept getting a popup saying there was no firewall, even though Windows said it was running.  I agree about the RAM.  I have told the owner of the PC that she should upgrade to 1MB, but that my PC was working fine with 512.  She is thinking about going to 512.  She doesn't do heavy gaming or other graphics.  Just uses it for the internet, financial, and word processing.  I have also warned her that if she wants to update software in the future, that more memory might be critical anad that the 512 purchase would be throw away.

I really want to tell you guys that you do a good job here, and thanks for the help.

Do you know how I can learn to interpret Hijack This so I can be more independent?  Thanks!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Suspicions of virus activity
« Reply #9 on: January 11, 2007, 03:27:44 PM »
You can enter a training course at some sites, this is both intensive and time consuming so you have to have more than a general interest or just self help.

Well you can get some help at on-line analysis sites, but you shouldn't take it as 100% but it give a reasonable start point to investigate what it classes as Nasty, Possibly Nasty or Unknown, etc. then you use the likes of google to search on the file names, etc. and see if that confirms the analysis.

On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2

The first of these also has the ability to upload suspect files to be scanned, this can also be done at other sites. You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.

There are also hijackthis tutorials and these also provide other very useful information to help analyse the log. HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3

That should be enough to keep you going ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Suspicions of virus activity
« Reply #10 on: January 11, 2007, 08:03:58 PM »
Quote
Do you know how I can learn to interpret Hijack This so I can be more independent?  Thanks!

I can do no more than recommend Geeks to Go as I am training there and it is thorough http://www.geekstogo.com/forum/Would_you_like_to_learn_to_fight_malware-t4817.html

Spiritsongs

  • Guest
Re: Suspicions of virus activity
« Reply #11 on: January 11, 2007, 09:49:35 PM »
 :)  Hi Caroln :

     The brevity of the HijackThis log you posted should result in you being asked IF you ran the
     HijackThis program in "Safe Mode" !?  If you did that, then the log you posted is of very little
     help in discovering any possible problem . HijackThis logs are BEST analyzed by Experienced,
     Trained, volunteer Malware Experts usually found on antiSPYWARE Support Forums, like the
     ones Spybot has at http://forums.spybot.info .
     Since your current HijackThis program is in an inappropiate place, I recommend you uninstall it,
     then :
Download HijackThis© from:  www.thespykiller.co.uk/files/HJTsetup.exe .
At the download prompt, choose "Save". 
Navigate to the saved file and double-click the installer, HJTsetup.exe.
HijackThis will be installed on your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.
When the installation is complete, exit HijackThis.

  As to learning about HijackThis, I recommend you read the "Tutorials" at :
  www.bleepingcomputer.com/tutorials/tutorial42.html ;
  http://aumha.org/a/hjttutor.php ;
  http://castlecops.com/HijackThis.html .

  As to being "trained" as a volunteer Expert, I feel the "School" at Malware Removal University
  at http://forum.malwareremoval.com/viewtopic.php?t=233&sid=fca6dd7bc9eb3b0c1e223be11f879207  is equal or better than the one at Geeks To Go.

mauserme

  • Guest
Re: Suspicions of virus activity
« Reply #12 on: January 12, 2007, 02:00:00 AM »
You've  made some good points Spiritsongs.  But then this

HijackThis logs are BEST analyzed by Experienced, Trained, volunteer Malware Experts ...

Well, we have those here.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Suspicions of virus activity
« Reply #13 on: January 12, 2007, 02:07:06 AM »
Well, we have those here.
Do not count with me... For sure I'm not an expert on malware removal, HijackThis, etc.
Mauserme, I really think it's better get malware help on the links posted by Spiritsongs.
We're most used to avast, some of the others know about virus removal, but, in my opinion, they are the experts  ;)
The best things in life are free.

galooma

  • Guest
Re: Suspicions of virus activity
« Reply #14 on: January 12, 2007, 03:20:07 AM »
I would argue that the vast majority of people coming here seeking help only want to know where to look for answers .

The last thing we should be doing is sending them off to these obscure, boutique removal sites with their toilet paper diplomas that get a couple of posts a week.

in most instances It is better that a person gets contributions promptly and from a variety of sources so they can use their own judgment.
 
Just my 2c worth and no disrespect to any individual. 8)