Author Topic: Avasts been hijack please help  (Read 82975 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avasts been hijack please help
« Reply #135 on: April 24, 2007, 11:48:03 PM »
There is actually a nifty new trojan on line scanner currently being trialled by Panda, once you have scanned and found something then head over to their total clean page and get it cleaned (you need to register for this part)  http://www.nanoscan.com/
http://www.nanoscan.com/as/v1/principal.aspx

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #136 on: April 25, 2007, 03:45:44 AM »
Its the same problem with unencrypted signatures as Panda Active Scan.

Sean - you will get an avast! virus warning when installing the active-x needed to run this scan.  It's not really a virus;  its a virus signature within the Panda scanner that is not encrypted.  Avast! is able to see the signature and reacts to it.

I normally don't like to recommend disabling your resident av to run Panda but you've been doing so pretty regularly anyway.  So turn off avast! and see if Panda finds anything (just don't stray away from the Panda site until avast! is turned on again).


EDIT: A little more on the IPs you listed.

I checked the RIPE database this time and find that the IPs in the range 84.53.134.0 - 84.53.137.255 are registered to AKAMAI-PA in the US.  I don't know for sure if Microsoft currently uses AKAMAI servers for updates but they have in the past.  Entering au.download.windowsupdate.com in the address field of my browser opens a page that looks just like a Windows update page (and probably is a Windows update page), so I'm less suspicious of this one.

IPs in the range 87.248.192.0 - 87.248.223.255 are registered to Limelight Networks Inc. in Great Britain.  I haven't found anything on this one related to updates but since the URL reads the same in your firewall log it is probably as benign or malicious as the AKAMAI addresses.

csc3-2004-crl.verisign.com [64.94.110.11] seems to be a Verisign Certificate Revocation List (CRL) that browsers using SSL certificates would update periodically.

I'm not ready to say these connections are completely harmless since, for example, it seems more likely that Internet Explorer would update the CRL rather than Windows Explorer, but maybe we're heading in a better direction.
« Last Edit: April 25, 2007, 04:58:45 AM by mauserme »

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #137 on: April 25, 2007, 03:07:04 PM »
Hi mauserme

I used the two new one that essexboy linked to

http://www.nanoscan.com     It found nothing

http://www.nanoscan.com/as/v1/principal.aspx  did a full scan and It found a couple of false positive

like SDFix Process.exe , but in my back up drive folder and not the one in c: drive

Did what you said here

Quote
I normally don't like to recommend disabling your resident av to run Panda but you've been doing so pretty regularly anyway.  So turn off avast! and see if Panda finds anything (just don't stray away from the Panda site until avast! is turned on again).

I think when explorer.exe tried yesterday to access the web,  It might of been the Help and support or

the search in the start bar above run, When I use either of them they ask to connect to the web

Going to do one more scan with the main Panda scan


mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #138 on: April 25, 2007, 07:29:50 PM »
Do you know if you have WGA Notifications installed on your computer?  It's not the same as Windows Genuine Advantage (WGA) - it's Microsoft Update  KB905474 and it's known to send outbound data to Microsoft.  Look in Add/Remove Programs for the update number or in c:\windows\system32\  for these files

wgalogon.dll
wgatray.exe

(if the files are present don't delete them).


UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #139 on: April 26, 2007, 03:12:07 PM »
Hi guys,

Do you know if you have WGA Notifications installed on your computer?  It's not the same as Windows Genuine Advantage (WGA) - it's Microsoft Update  KB905474 and it's known to send outbound data to Microsoft.  Look in Add/Remove Programs for the update number or in c:\windows\system32\  for these files

wgalogon.dll
wgatray.exe

(if the files are present don't delete them).



Had a look in Add/Remove and c:\windows\system32\ for the files but nothing found.

In Add/Remove i've got numbers before KB905474 and numbers after it.

Did a full scan at main Panda site and it was clean

Did a scan with SuoerAntiSpyware was clean,   Avast did pop up saying pskavs.dll was a threat,

But when I looked where it was c:/windows/system32/pandasoft/active2, I think you'll tell me it a

false positive.

I noticed if you use search or help and support above the run in start that it try to use explorer.exe to connect to

the web.     Which it always has since since I installed XP Pro.

I'm not sure what stopped the au.download.windowsupdate.com or the others, 

Might of been me changing Remote Procedure Call (RPC) Locator in services to manual which stopped locator.exe starting.


I've got the following below blocked from accessing the web,    Does any of them need  access?

So far everthing seems to work ok.


NT Kernel and system
LSA Shell (Export Version)
Generic Host Process For Win32 Service
Application Layer Gateway Service




« Last Edit: April 26, 2007, 06:02:38 PM by UK_Sean »

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #140 on: April 26, 2007, 09:00:14 PM »
Hi guys,
Did a scan with SuoerAntiSpyware was clean,   Avast did pop up saying pskavs.dll was a threat,
But when I looked where it was c:/windows/system32/pandasoft/active2, I think you'll tell me it a
false positive.

Yes, it is.

I noticed if you use search or help and support above the run in start that it try to use explorer.exe to connect to
the web.

When I open my Desktop Search, explorer.exe does briefly connect to the internet.  This can be controlled to some degree by changing the Internet Search Behavior in the Search Preferences to Classic Internet Search, but i don't think it can be entirely eliminated.

Opening Help & Support on mine causes helphost.exe to connect but this may differ by manufacturer.


I've got the following below blocked from accessing the web,    Does any of them need  access?

NT Kernel and system
LSA Shell (Export Version)
Generic Host Process For Win32 Service
Application Layer Gateway Service

I'll give you my opinions on these, but others may have better information:

NT Kernel and system (aka kernel32.exe) - Should never connect to the internet but  LAN side connections are OK.  Attempted connections to the WAN could indicate malware.

LSA Shell (Export Version)  (aka lsass.exe) - Should never connect to the internet.  Attempted connections could indicate malware.

Generic Host Process For Win32 Service (aka svchost.exe) - Internet connections are normal for this since it controls so many processes including things like time synchronization.  Make sure of the spelling because some malware will try to disguise itself as svchost.exe (like SVCH0ST.EXE - do you see the zero instead of the alpha "O"?).  It should run only from c:\windows\system32\  on XP boxes.

Application Layer Gateway Service (aka alg.exe) - Responsible for Internet Connection Sharing so, depending on your set up, you may see this connecting.  Be carefull of the path on this one too (should be c:\windows\system32\ )

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #141 on: April 26, 2007, 09:48:02 PM »
Hi mauserme,

Thanks for the info and the files you mentioned they do come from c:\windows\system32\ and the right spelling.

I think my system is pretty clean now I hope,

Can I say A MASSIVE THANKS TO MAUSERME, ESSEXBOY, DAVIDR, TEC, and POLONUS 

For all your help and support over the last couple of weeks, You guy's do a great job CHEERS Guy's

Thought I'd do a final Hijackthis log



Logfile of HijackThis v1.99.1
Scan saved at 20:25:56, on 26/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ASUS\Probe\ASUSPROB.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2006\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2006\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2006\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascinstie.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #142 on: April 26, 2007, 11:53:51 PM »
Looks good to me, Sean.  There are a couple of unnecessary lines that could be removed for tidiness, but no worries.  As long as you have no unexplained connections now I think you're clean.

The following is for UK_Sean and T34:

Don't forget to delete the SDFix backups.  You really could get rid of the entire program now - its updated often so if you ever needed it again you would want to get a new copy.

I don't know what you might have in quarantine in all the other scanners you ran (AVG, Super, etc) but you should review those for deletions too.

The final suggestion I can make is to create a clean restore point and delete the old points now, while you're clean.  Click Start > All Programs > Accessories > System Tools > System Restore.  Fill the radio button to create a new resore point and "next" your way through.  Name it "Clean" or something that will make sense to you if you ever need to restore back to this point.

After the new restore point is made click Start > All Programs > Accessories > System Tools > Disk Cleanup > More Options Tab.  Then click the Clean Up button for system restore and Yes to the warning.


Its been quite an adventure ...  :)
« Last Edit: April 27, 2007, 01:15:02 AM by mauserme »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 88786
  • No support PMs thanks
Re: Avasts been hijack please help
« Reply #143 on: April 27, 2007, 12:02:53 AM »
Now some pro-active measures could help for the future.

In order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

T34

  • Guest
Re: Avasts been hijack please help
« Reply #144 on: April 29, 2007, 03:00:39 PM »
Hello,

Thank you for the latest advise, especially for mauserme.
thx

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #145 on: April 29, 2007, 03:06:14 PM »
You're welcome.  :)
« Last Edit: April 29, 2007, 07:13:06 PM by mauserme »