Possible Tojan

[DavidR]

Three avast functions that require access:
ashWebSv.exe - the avast Web Shield.
ashMaiSv.exe - the avast email scanner (for the Internet Mail provider).
avast.setup - this is what does the avast virus signature and program updates.

[ecotack]

 :'(

The virus had deleted my previous firewall (sygate) but must have left something behind.  I uninstalled it, rebooted and packets started to flow. 

FireFox still couldn’t find web sites, but I could ping their IP’s (DNS problem  ), so I tried IE, a window popped up asking me which file I wanted to crack  , Avast icon disappeared and RKB is showing a whole list of files.

HJT log attatched.

[essexboy]

Only one file that I can find no info on in your log nspksrv.exe. 

Jotti File Submission:

• Please go to Jotti's malware scan
  
  
• Copy and paste the following file path into  the  "File to upload & scan"box on the top of the page:
  
  
  • C:\WINDOWS\system32\nspksrv.exe
• Click on the submit button
• Please post the results in your next reply.

.
Then

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[ecotack]

DSS log attatched.  Nothing found in NSPKSRV.EXE.  It took a bit of finding, but its a network serial port driver, by Fabula Tech.

[essexboy]

OK srosa has reared it's head again but it is now deeply hidden

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.

• Open a command window by going to Start > Run and typing: cmd
  
• Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  
• Hit "Enter" to start the program and then close the cmd box.
  
• Accept the user agreement and click "Next".
  
• Click "Scan".
  
• After the scan is complete, click "Next", then "Exit".
  
• BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  
• The log will have a list of all items found. Do not choose to rename any yet!
  I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  
• Exit Blacklight and post the contents of the log in your next reply.

Thanks for the info on that file

[DavidR]

@ essexboy
You need to edit your link to f-secure blacklight, as it is an ftp url you shouldn't rap it in the URL tags as it puts an http:// in front of the ftp::// and that messes up the link.

e.g. ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

[ecotack]

Thanks again, but last night before I read you post I had a play around.

hidr.exe and srosa.sys came back, so I booted in safe mode and removed them.  It appears one of the IE Add-ons is responsible for re-infecting.  I disabled all add-ons in safe mode, now in normal mode IE works fine.  Before IE would lockup if it didn't have network access.

The DNS problem is caused by Comodo firewall.  Even though I trust an application it is still blocking it, unless I select the 'Skip advanced security checks', in the miscellaneous tab in the application control rule.

I also un-installed avast and installed Comodos antivirus, because the infection kept deleting avast.  However Comodo antivirus can't enable the on access scanner.  At that point I gave up and went to bed

I'll give fsbl a go this evening and see what it comes up with.

[Lisandro]

The DNS problem is caused by Comodo firewall.  Even though I trust an application it is still blocking it, unless I select the 'Skip advanced security checks', in the miscellaneous tab in the application control rule.

I'm not with Comodo in this computer, but if I remember correctly, there is an entry for DNS queries in the advanced tab of settings of the firewall.

Because the infection kept deleting avast.  However Comodo antivirus can't enable the on access scanner.  At that point I gave up and went to bed

Don't try to install two antivirus at the same time.
See http://forum.avast.com/index.php?topic=31559.msg263039#msg263039 to correct avast misinstallation problems...

[essexboy]

@ essexboy
You need to edit your link to f-secure blacklight, as it is an ftp url you shouldn't rap it in the URL tags as it puts an http:// in front of the ftp::// and that messes up the link.

e.g. ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

Thankee David I actually amended the URL myself as it had changed from the original I had on my canned -  Guess I blew it  However lesson learnt Ta

[DavidR]

Thankee David I actually amended the URL myself as it had changed from the original I had on my canned -  Guess I blew it  However lesson learnt Ta

Your welcome, it has caught me out a couple of times in the past.

[ecotack]

Backlight didn't find anything.

I thought I'd un-installed Avast before installing Comodo.  Perhaps something was left behind.  How do I completely remove Avast?

[essexboy]

ASWclear from here will do that http://www.avast.com/eng/avast-uninstall-utility.html

Could you try an F-Secure online scan

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
  
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report in your next reply.