Overly agressive protection!!!

[Tl12000]

Ok, so ive used avast for some time now but its acting a bit weirder than before, i think maybe after the updates occured.

Avast keeps thinking my system files are viruses. Whenever i open my task manager it says its infected.
whenever i open NOTEPAD it thinks its a virus too.
as well as:
mspaint.exe - Paint
mobsync.exe - mobile synchronization
cmd - command prompt
opera.exe - opera internet browser
7z.exe - 7 zip file manager
u3launcher - U3 Sandisk Launcher from U3 USB device

and many other more. i cant even use my computer comfortably because of this issue
I believe there is a virus out there that is specifically aimed to destroy avast antivirus from the inside out. but im not entirely sure.

Heres my comp specs

OS - Windows 2000 Professional (The reason i need and use Avast)
RAM - 256 MB
Processor - Intel Pentium 3 1.2 Ghz

And this keeps going on for some reason, someone from this adress keeps sending Ddos attacks using tcp

209.127.82.76 tcp or https attack

[CharleyO]

***

Welcome to the forums, Tl12000.   

Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results using the "copy & paste" method. It will probably take more than one post to be able to get the complete log posted. OR, you can post it as an attachment to your post by clicking on "Additional Options..." below left of the posting box. Do not download HJT to the desktop but instead download it into it's own folder on the hard drive. Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/


***

[ardvark]

Hi...

You might want to use an online scanner to verify what avast is claiming. There are several to choose from but here are two...

http://www.ewido.net/en/onlinescan/

http://housecall65.trendmicro.com/

Others might suggest to you other options. Please post back with a report if anything is found.

Best Regards...

[Lisandro]

Which is the virus/malware name?
If you're infected with a file infector, well you need to do something fast...

I believe there is a virus out there that is specifically aimed to destroy avast antivirus from the inside out. but im not entirely sure.

Yes, there are such nasties...
Can you try full computer on-line scanning?
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)

[Tl12000]

Ok so heres the log file, it seems most of this stuff is system protected and some are avast services running in my background.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:42 PM, on 9/20/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\All Users.WINNT\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Documents and Settings\Administrator\Application Data\U3\0000D18070413406\LaunchPad.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: LaunchU3.exe.lnk = C:\Documents and Settings\All Users.WINNT\Application Data\U3\U3Launcher\LaunchU3.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 2465 bytes

[DavidR]

1. You should create a specific folder for HJT, c:\HJT would do rather than have it dumped on the desktop. If you make any fixes you really want everything in its own folder.

2. This is possibly one of the smallest HJT logs I have seen in some time. I don't know if this is because you are running win2k or some other reason. I would suggest once you have created a folder for HJT that once installed you rename the hijackthis executable to Tl12000HJT.exe incase there is malware that detects and avoids HJT.

You didn't answer the question about the malware name as that could give us an idea if you do indeed have a file infecter at work.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file). I'm not sure if it runs on win2k but I would think it might.
1. SUPERantispyware On-Demand only in free version.
2. Also MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

[oldman]

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file). I'm not sure if it runs on win2k but I would think it might.

Yes it will. Win98-Vista.

I agree, it is a short log. Renaming hijackthis.exe may reveal a vundo infection. Though many infections have similar symptoms, this one almost sounds like the vundo file infector... notepad.  exe for example.

(edit for spelling)

[DavidR]

Thanks, now it is hard to know what works and what the start point OS is.

[wyrmrider]

HJT may not show much
I would like to see the MBAM and SAS logs and also Spybot Search and Destroy
With MBAM check any hits and then REMOVE SELECETED a backup will be made
with the others send to Quarantine do not remove/ delete
I would also like to see a Scan with one of the on line AV scanners AFTER the general purpose removers are run- preferably KAspersky
after seeing the logs we may want to run VUNDO fix and a double check for rootkits
File infectors are non trivial and the sooner they are addressed the better