Author Topic: Please Help!  (Read 18643 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Please Help!
« Reply #15 on: April 04, 2008, 09:03:45 PM »
I give up to keep a serene conversation and help...
I earn nothing giving my time for free here in avast forums. I do not deserve blaming.
The best things in life are free.

AleKx

  • Guest
Re: Please Help!
« Reply #16 on: April 04, 2008, 09:11:54 PM »
Friend, I am not blaming you for anything. I am simply stating that had you read my posts, your questions would have been answered. Any people who take the time to help here is greatly appreciated, but you were going about it the wrong way, even if you kept on trying to help. Take 5 minutes and go through my posts, it will answer many of your questions, it took me a long time to gather this information and it would be appreciated if you read it before asking me silly questions like: "Did you reboot after uninstalling"

That's all I mean. Your help is appreciated. <3

AleKx

  • Guest
Re: Please Help!
« Reply #17 on: April 04, 2008, 10:32:48 PM »
The reason I came on the Avast! forums for this was because the spyware I have was USING ashweb.exe
It completely by-passed Avast! even after doing a pre-boot scan.

I decided to call my ISP and I talked with 5 different technicians (I called 5 times because no one could tell me anything, I was hoping I'd land on someone that would.) And 4 out of the 5 technicians didn't know the "Netstat" command. I'm dead serious.

The first 2 technicians were clueless, and the third told me to call my D-Link router support. Which I did. I called and the technician was impolite, barely articulated, and showed no interest in helping me at all. I finally gave up with him and called my ISP again.

Technician #4 was very nice, did the best he could, but had no clue what Netstat was. How can I explain my problem to someone who doesn't even know how Netstat works.

I hung up with him and called again, and this time the technician knew what he was talking about. He asked me a series of logical questions (basically the same questions I asked myself), and we both came to the conclusion that it was spy-ware or other malicious software trying to dial home to the IP always showing up in my Netstat. Since he works for Bell, he wasn't allowed to help me with non-bell related products like Ad-Aware or any other tool that could help me, but he let me know that it was obvious that I was infected. The files infected are multiple, kernel32.dll, alg.exe to name 2, but there's plenty more. The virus is trying to dial to that IP I keep seeing, with the use of those .dll files and .exe's. It says "listening" because it's waiting on those ports it uses to connect to the IP, to open, so the files I have infected, can then download a virus.

Note that the IP was hooked on files that Avast! was using, so that's why I saw ashweb.exe related to them, and trying to connect to the IP. Avast! is also an anti-virus, it is NOT an anti-spyware. It's just a reminder that not one program will keep you completely safe.

It's very confusing when the spyware is using your anti-virus processes when you see this:
Quote
TCP    box:1026               ppp-54-25.32-151.iol.it:0  LISTENING       1700
  [alg.exe]

  TCP    box:12025              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:12080              ppp-54-25.32-151.iol.it:0  LISTENING       1104
  [ashWebSv.exe]

  TCP    box:12110              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:12119              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

  TCP    box:12143              ppp-54-25.32-151.iol.it:0  LISTENING       480
  [ashMaiSv.exe]

Is it normal for someone to assume that the IP above is a server that ashmaisv.exe (aka Avast!) uses? I think it is.

After uninstalling Avast!...
Quote
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    box:epmap              ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:microsoft-ds       ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:2869               ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:1026               ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:1046               localhost:1045         TIME_WAIT
  TCP    box:12025              ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:12080              ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:12110              ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:12119              ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:12143              ppp-54-25.32-151.iol.it:0  LISTENING
  TCP    box:netbios-ssn        ppp-54-25.32-151.iol.it:0  LISTENING

Looking at this, after Avast! is completely uninstalled, isn't it safe to theorize that you might have spy-ware or a virus?

I think it's important to let other Avast! users know about this. REGARDLESS if anyone know exactly what the point is, actually not regardless, ESPECIALLY, if no one knows what the problem is.

To prevent further bashful comments, I'm not putting Avast! down. It's a good anti-virus. It makes a poor anti-spyware though.

*All this are hypothesis based on logical deduction from about 12 different people, including staff from Avast!, technical support staff from my ISP, and other Internet gurus whom I know personally. So far 10 out of the 12 people think its a spy-ware/virus
« Last Edit: April 04, 2008, 10:36:38 PM by AleKx »

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Please Help!
« Reply #18 on: April 04, 2008, 11:54:44 PM »
Couple of things.

First it would probably help you a bit more if you installed a program that gives you a better view of your connections like  the free TCPView available from Microsodt/Sysinternals.

You are not connecting to a website as such - you are connecting to an individual user at that site.  That has all the hallmarks of someone using a P2P program where the person at the other other end is telling you to connect to them on well known ports such as port 25, port 119, port 80 etc.  such usage is quite common in the P2P world.  It so happens that avast scans activity on those well known ports because that it how it works to scan email, nntp and web browsing.

So - are you using a P2P program on your system?


AleKx

  • Guest
Re: Please Help!
« Reply #19 on: April 05, 2008, 04:16:52 AM »
Yes, but the program is seldom used. I've used it twice since formatting, and only to get 2 well know Unreal Tournament movies that I can't find elsewhere, ( not even on levitation-gaming). I've scanned everything that I've downloaded with Avast! before running anything, DivX, Ventrilo, mIRC, nnscript, peerguardian, firefox, filezilla, x-netstat, netstat agent. Those are the only programs I've downloaded. All have been scanned and passed through Avast!. I had just reformatted..

Thanks for sharing your opiniong alanrf, do you suggest I uninstall the p2p ?

I've looked into spyware removal tools and found Ghost Buster. I ran that and it found the trojan (a trojan is a virus right? why didn't avast catch it?) : Trojan.Win32.Patched.m

Ghost Buster is a Spyware removal tool but a Trojan is a virus to my knowledge, (if someone could clear that up if I'm wrong) but it wouldn't remove it since I only have the trial version. The path it found the trojan in was C:\Windows\system32\winlogin.exe

If you look at all the applications and DLL files it was listening with (My netstat -ab reports) winlogin.exe uses some of those files to function. It kind of all makes sense. I have a trojan, Avast didn't detect it, and all this energy spent on trying to find out why the heck someone is listening on my ports is at least validated.

One of you did the Netstat -ab and gave me your results. That was a clean Netstat right there, and that's how most pc's should be secure.

I've gone and and beyond with this, I've learned a lot too, and after more than 10 years of using microsoft products, I'm switching to Linux or Mac. I will try out both first to see which I prefer of course.

Microsoft sells you an operating system that is not finished. The product, is not finished. There's no muffler on your car, there's no roof on your house, and there's holes everywhere in your operating system when you run Windows. XP was most likely it's best operating system, WindowsME being the poorest (I'd rather run windows 3.1)

Why do you think you have hundreds of updates when you have windows?
Because they sell you something that's unfinished, but they have the courtesy to patch the things that THEY find. Imagine all the stuff they DON'T find.

After re-installing Windows XP, the first day I have 28 updates. The second, 90 updates. The third, 10 updates... I didn't count how many there were in total but apparently it's still going. It's not only security updates for your operating system, it's for other microsoft products such as IE and Explorer and registry fixes or what have you. These are serious holes and serious issues. If you want to run windows you need: A) A firewall, B) An anti-virus, C) A router if you can B) Spyware removal tools C) Registry Cleaner/fixer etc etc etc.

They sell you this crap for 300$ a CD (When the OS just came out, windows sold for 350$ a CD at futur shop).

Linux is FREE.

Do some research of how many people on linux have problems with viruses and trojans and spyware and malware and i-ware (heh). Do some research on how many people have problems with viruses and trojans and spyware and malware with Macintosh computers.

It took me 10 years to wake up and smell the freaking coffee. I've been up to date throughout all these years as much as I could with protecting myself while operating a Windows operating system, and I'll have none of it no more.

I've banged my head in walls and tried to protect myself for years, when I don't really have to. If I buy a mac, sure it's expensive, but they have the fastest processors, and they are the best when it comes to graphics, which is great for a gamer like me. I also get the friendly GUI that windows has, but without all it's holes. Or, I can try Linux, a FREE operating system with one freaking millionth of Windows' vulnerabilities, and have a more "raw" GUI, and have to do things more manually or through WINE.

Either way, I'm not sticking with microsoft. Good riddance.
« Last Edit: April 05, 2008, 04:36:35 AM by AleKx »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Please Help!
« Reply #20 on: April 05, 2008, 04:18:18 AM »
AleKx, if avast is completely and correctly uninstalled, there should be no process running, no files left behind... nothing. What I see from your posts is that you're complaining about a bad uninstalled software.

Thanks to my router I think it's preventing it from phoning home.
avast does not phone home... something is infected in your computer.
The best things in life are free.

AleKx

  • Guest
Re: Please Help!
« Reply #21 on: April 05, 2008, 04:37:51 AM »
Tech you're kidding right?


Again, had you read my post, the current update is yes, we all think I have a virus.

Your first post was, did you reboot after uninstalling? and you were behind on that one. Now we're at the part where we're all 99% sure I have a virus. Regardless of the outcome, I'm glad my concerns were not in vain. I appreciate all the intput from all of you guys. You wouldn't be taking the time to write if you didn't want to help.

Finding out where it came from is the least of my worries. I'd like to find out how to remove it. The trojans name is Trojan.Win32.Patched.m (Again, read my posts)

I've tried a few programs but they only seem to point out that I have this virus, they won't remove it like Avast! does with it's trial. But Avast! didn't detect it. Should I try AVG maybe?
« Last Edit: April 05, 2008, 04:43:59 AM by AleKx »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please Help!
« Reply #22 on: April 05, 2008, 04:39:58 AM »
This is an intreguing post. What P2P program do you use. Was it a freshdownload or from a backup after your reformat?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Please Help!
« Reply #23 on: April 05, 2008, 04:42:30 AM »
Tech you're kidding right?
No. I can't understand that a legit ashWebSv.exe or a legit ashMaiSv.exe files could be present in a computer without avast correctly uninstalled.
The best things in life are free.

AleKx

  • Guest
Re: Please Help!
« Reply #24 on: April 05, 2008, 04:53:04 AM »
Your last two post gentlemen, are exactly what I've been trying to emphasize. I can't imagine either. But the Netstat -ab report is there. I'm not wasting my time on forums with false Netstat reports. The IP was there and using that Avast! .exe, and it remained there and listened to epmap, microsoft-ds, netbios-ssn, etc and other process, with the SAME IP, even after uninstalling.

I will mention one last time how I uninstalled.

Initially I did it through Control Panel Add/Remove Programs, which seems to have worked fine. I REBOOTED after uninstalling.

Then I did the netstat and found it was still there, just this time, not using Avast's Ashweb.exe or whatever the exe is called. But it was still listening. Same IP

Then I posted here and someone told me to run "aswclear.exe" - Avast!'s own uninstall program. Now, with basic experience, I've been taught that if somehow you've wrongly uninstalled a program, it's best to re-install it if you can, before doing the "proper" uninstall. So I did. I re-installed avast, but this time, I uninstalled Avast! with aswclear.exe. I then REBOOTED.

I did netstat and the connections were using again, multiple DLL files and alg.exe and what not.

The trojan is called Trojan.Win32.Patched.m

Avast! didn't catch it. Actually, according to netstat when Avast! was installed and running, the IP was attached to the files that Avast! used. (I could be completely wrong.)

The p2p program that I used was utorrent. I've been playing Unreal tournament and all it's latest versions, ut2k3, ut2k4, UT3, since UT99, I'm currently making a movie and I had downloaded a bunch of oldschool UT movies that I could only find through torrents. I've learned a long time ago to keep my programs as legit as possible.

Could anyone suggest a program that is free that could remove this particular trojan ?


Rifkin

  • Guest
Re: Please Help!
« Reply #25 on: April 05, 2008, 04:53:59 AM »
Guys I don't think you have a virus or even spyware.  It seems that when you have p2p software installed you are part of a network.  This is what you are seeing.  Avast won't flag it, because it's legit.  Try uninstalling your p2p software and see if the traffic stops, remember also that infected software may use legit ISPs to cover their tracks and black listing the ISPs blocks the bad and the legit.

The following is from an article on About.com

A good definition of P2P software was proposed by Dave Winer of UserLand Software many years ago when P2P was first becoming mainstream. Dave suggests that P2P software applications include these seven key characteristics:
-the user interface runs outsides of a Web browser
-computers in the system can act as both clients and servers
-the software is easy to use and well-integrated
-the application includes tools to support users wanting to create content or add  functionality
-the application makes connections with other users
-the application does something new or exciting
-the software supports "cross-network" protocols like SOAP or XML-RPC

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Please Help!
« Reply #26 on: April 05, 2008, 04:58:13 AM »
I re-installed avast, but this time, I uninstalled Avast! with aswclear.exe. I then REBOOTED.
It is supposed to be run 'after' the Add/Remove programs and only if needed (i.e., Add/Remove fails).

The p2p program that I used was utorrent.
Has some issues with avast, I mean, avast with utorrent.
The best things in life are free.

AleKx

  • Guest
Re: Please Help!
« Reply #27 on: April 05, 2008, 04:59:33 AM »
Tech I know how you might be thinking that I'm saying Avast is listening or trying to phone home with a Virus. Quite frankly, I don't fully understand your hypothesis even after reading it multiple times. But I do know one thing, I'm not saying Avast! is part of the problem, or trying to phone home. I'm trying to help you help me, I'm not trying to be against you. Like I said in like 3 posts, I appreciate people who take the time to help.

I think I have a virus that Avast didnt detect. And possible, since the virus used files like winlogon.exe (or winlogin.exe) and that application uses such files as kernel32.DLL etc and other multiple DLL's (It can take a few DLL's for one .exe) then isn't it possible that by by-passing avast, it's a root-kit trojan or something? Avast! obviously did not detect, another program did. It's recognised as a Trojan. The trojan used some files that Avast probly used as well to operate. That's probly why I saw the ip using ashweb.exe


Now the things I know are

A) I have a virus, it's called Trojan.Win32.Patched.m
B)Avast! didn't detect it.
C)It's highly likely that I got the virus from utorrent since I have only formatted 5 days ago.
D)If it is a network like you guys say, because that I have a P2P program installed, then it came with Trojan.Win32.Patched.m
E)I highly doubt that by uninstalling utorrent, that the Trojan will dissapear.
F)You guys are awesome for helping me.  ;D

I'll uninstall UTorrent and REBOOT and run netstat again, see if the SAME ip is still there using the same processes and dll files.

Also Tech, you say that Avast has issues with UTorrent, but Avast! didn't detect anything when I ran UTorrent. It did detect something when I ran the OutPost Firewall though, I had to disable something. Funny that it would work for protection like a firewall, but not for a program proned to viruses like P2P UTorrent.

Let's put Rifkin's theory to the test: I'll uninstall the P2P, he says the connections will dissapear

(Is it me or do people not read my posts? I'm infected with a trojan, avast didn't detect it, you guys are giving me instructions on how to properly uninstall a program and telling me that if I uninstall the P2P the virus will go away and stop listening.)
« Last Edit: April 05, 2008, 05:11:19 AM by AleKx »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please Help!
« Reply #28 on: April 05, 2008, 05:14:59 AM »
Go ahead with what you are doing. Since you gave a name to the possible infection, I checked and one of the things it does is infect/replace winlogon.exe

So let's see what we can discover about your copy.

Please submit these files for analysis

To submit a file to virustotal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

c:\windows\systems32\winlogon.exe

scroll down a bit and click "send file", wait for the results and post then in your next reply.

AleKx

  • Guest
Re: Please Help!
« Reply #29 on: April 05, 2008, 05:15:39 AM »
To be honest the problem is solved. I simply need to find a spyware or anti-virus that will remove Trojan.Win32.Patched.m

Unfortunately I can't use my Avast! that I paid for (I bought it, I don't just use the free version), like all my other legit programs. I mention this because I see too many people cracking software and not buying the real versions. Hell you buy it once and it's yours and you don't have to worry about downloading full programs on malicious websites. You have the program, it's clean, you're good.

Sucks though, ironically enough I'll probly end up finding a free program that removes specifically Trojan.Win32.Patched.m