Author Topic: Multiple instances of AVAST modules in Taskmgr  (Read 30094 times)

0 Members and 1 Guest are viewing this topic.

micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #15 on: July 06, 2009, 05:28:17 PM »
I think you have a serious threat somewhere,possibly a rootkit. I would run one, if not both, of the following.
 
http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I am not very familiar in the use of Combofix, but it is a very powerful, and useful program.


Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #16 on: July 07, 2009, 07:09:08 PM »
Using AVAST I terminated the web shield and the Outlook/Exchange modules and then rebooted. I thought that would keep ashMaiSv and ashWebSv from running.  It did stop ashWebSv from running but ashMaiSv is still running 50 instances and there is no instance of ashWebSv running.  Microsoft Security Center reports that "avast! antivirus 4.8.1335[VPS 090706-0]" is turned off yet taskmgr shows ashDisp.exe, 50 copies of ashMaiSv.exe, ashServ.exe and aswUpdSv.exe all running.

I tired to install combofix per a previous suggestion and, at the time it could not set a restore point so I terminated it for now.  I will restart the System Restore and try again.

Thanks for all the great suggestions and support found here.

Jay Gee

micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #17 on: July 07, 2009, 07:16:55 PM »
Try the rescue cd, its scans your system without booting windows. It does not create a log, I think you would have to write down anything it finds

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #18 on: July 08, 2009, 05:40:03 PM »
I must say ... I was overtaken by a sense of having been coerced into downloading some awful program and destroying my system when I clicked on the Thumbnail on the Avira Web page and a popup got past Firefox.  That popup was about an evil looking game of some sort.  It opened another Firefox tab and left it open but I was quick to close it out of fear.  I must say I was EXTREMELY reluctant to boot their CD after I saw that. Then when I booted the Avira CD another evil looking cartoonish character appeared in the upper left corner of the screen.  Nonetheless I did boot up and after about 10 seconds the evil little character disappeared.   This is not a good way for Avira to give a very comfortable feeling about their product(s).

I have transcribed all of the information on the Avira screen below.
Below that are a couple of concerns that I have.

========================================
Items found by Avira Rescue CD:

/media/Devices/sda1/ComboFix/n.pif
ALERT: [HIDDENEXT/Crypted] /media/Devices/sda1/ComboFix/n.pif <<< The file contains an executable.  
This however, is disguised by a harmless file extension (HIDDENEXT/Crypted) not removable
file renamed.  (Avira did not say to what it was renamed.)

/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files/Content.IE5/OTE30PE3/horoscopes[1].css
WARNING: archive not completely scanned: contents exceed 191397888 bytes
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files/Content.IE5/SI058REH/CADFBH79
WARNING: archive not completely scanned: contents exceed 191397888 bytes

/media/Devices/sda1/TEMP/ComboFix.exe
ALERT: [HIDDENEXT/Crypted] /media/Devices/sda1/TEMP/ComboFix.exe --> 32788R22FWJFW\n.pif <<< The file contains an executable.  
This however, is disguised by a harmless file extension (HIDDENEXT/Crypted) not removable
file renamed.  (Again, Avira did not say to what it was renamed.)

archive: /media/Devices/sda1/WINDOWS/system32/files.zip --> loader.exe extract error )ALL files in archive are encrypted.)
/media/Devices/sda1/WINDOWS/system32/files.zip
WARNING: archive not completely scanned: contents encrypted

/media/Devices/sda1/WINDOWS/system32/wh.exe
ALERT: [TR/Crypt.XPACK.Gen] /media/Devices/sda1/WINDOWS/system32/wh.exe <<< Is the Trojan horse TR/Crypt.XPACK.Gen
not removable
file renamed.
------ scan results ------
directories    14339
files:           689228
alerts:           3
suspicious:           0
repaired:           0
deleted:           0
renamed:             0
quarantined:       0
Warnings:           3
scan time:00:59:12

========================================

Do I need to be concerned about the two warnings where the files were supposedly too large to completely scan?
Personally I doubt that /...Local Settings/Temporary Internet Files/Content.IE5/OTE30PE3/horoscopes[1].css is greater than 191397888 bytes.
What about the archive that was not completely scanned because it was encrypted?

After rebooting I looked for the above items to see to what they had been renamed.
The first item /media/Devices/sda1/ComboFix/n.pif appears that Avira removed the "/n.pif" and it now appears as a folder in the root of the C:Drive with the same icon as "My Computer".  When I click on the "plus" (+)  next to it it opens up and appears the same as "My Computer" with the entire hierarchy down to but not including "My Network Places".  I am afraid if I delete it it will wipe out my entire hard drive.

The second item:
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files/Content.IE5/OTE30PE3/horoscopes[1].css

is damaged also in that the hierarchy goes as far as
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files
then there is no Content.IE5 or anything below that.
When I right-click on Temporary Internet Files and click properties it reports that it is 432mb with 14,523 files AND 24 folders but I cannot see the folders.  When I look at the files alphabetically the Content.IE5 is not in the list as a folder or otherwise.
Needless to say I cannot find the horoscope file or the other file?folder.


ALERT: [HIDDENEXT/Crypted] /media/Devices/sda1/TEMP/ComboFix.exe --> 32788R22FWJFW\n.pif
was found in the TEMP folder of the C:Drive (sda1) renamed to ComboFix.exe.XXX


archive: /media/Devices/sda1/WINDOWS/system32/files.zip
this file is dated 7/1/2009 at 1:03 AM and is only 20KB
I manually renamed it to files.xxx.zip.


ALERT: [TR/Crypt.XPACK.Gen] /media/Devices/sda1/WINDOWS/system32/wh.exe <<< Is the Trojan horse TR/Crypt.XPACK.Gen
This file was renamed to wh.exe.XXX and is dated 7/1/2009 at 1:03 AM and is 34KB
Obviously these two are related since they are dated the same and timestamped the same.

My biggest concern is with the ComboFix file/folder/My Computer or whatever it is.
The properties say it is 6.56 mb, contains 197 files and 1 folder.
I feel somewhat that it may be the ComboFix I downloaded yesterday and it gave a "false positive" to Avira.
BUT what do I do with it now?

By the way, I still have 50 instances of ashMaiSv.exe and NO instances of ashWebSv.exe.


When I restart avast detected an unauthorized modification to ashDisp and I was asked if i wanted to run it anyway.
I said no and thus, ashDisp is not running but ashMaiSv has 21 instances running in the first 5 minutes.  Also, ashServ and aswUpdSv are running but no other ash modules.

Should I uninstall and reinstall AVAST again?

One piece of good news is that I no longer get the message that I am not authorized to shutdown or restart windows.

Thanks,

Jay Gee
« Last Edit: July 08, 2009, 05:58:29 PM by Jaygee »

micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #19 on: July 08, 2009, 07:47:16 PM »
Please do not worry about the game pop up, , its harmless. The second cartoon character, was possibly the linux penguin. I did not realise, but Avira does see Combofix as malicious.Its a heuristic find. Recommending, having both at the same time was a mistake, apologies.I would remove Combofix http://www.bleepingcomputer.com/forums/topic114269.html
Regarding the unexplained 6.56 mb, folder. What is in that folder ? Did you actually run Combofix,it could be back up files.
As for all those temp files, you could run Ccleaner http://filehippo.com/download_ccleaner/ Do not install the Yahoo toolbar ( optional  )
Regarding wh.exe, I'm not sure how serious a threat that was, prevx says system backdoor, others say adware. With what MBAM found ( C:\WINDOWS\system32\win32.exe (Backdoor.Bot) ) plus the AV2008, you seem to have had some bad stuff  on board.
Personally I 'would' reinstall Avast, however, Its just my opinion, you still have something nasty lurking . Thats my opinion only


Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #20 on: July 08, 2009, 07:59:54 PM »
I did start ComboFix yesterday and it was unable to set a system restore point so I terminated it.
I think I have corrected the problem with system restore so I could try it again but it now looks "exactly" like "My Computer" in that if I click on the (+) sign next to it (in Windows Explorer) or double-click the name it opens up a tree structure beneath it that is "Exactly" the same as "My Computer" including the "ComboFix" name with no extension and another (+) sign.  It is recursive down at least a couple more levels.  I didn't want to go any further.  I tried to rename it by putting a .xxx at the end but it still appears with the "My Computer" icon and nothing changes.  Explorer still reports it as a folder with sub folders the same as "My Computer."

I am going to uninstall/reinstall AVAST and see what happens with ashMaiSv and ashWebSv and now ashDisp too.

Thanks

Jay Gee

micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #21 on: July 08, 2009, 08:15:51 PM »
Well i would assume Avira has wrecked Combofix, by renaming it , so please remove it. I should not have advised you to use it Removing Combofix may well remove that folder
« Last Edit: July 08, 2009, 08:30:41 PM by micky77 »

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #22 on: July 08, 2009, 08:29:07 PM »
What about the fact that the icon has my entire SYSTEM structure showing within it?
I am fearful that Explorer may interpret the delete command as all inclusive of the items therein and damage my system beyond repair.

Scared,

Jay Gee

micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #23 on: July 08, 2009, 08:32:33 PM »
Its only 6 mb in size, remove Combofix as suggested, and see if that folder is still there

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #24 on: July 08, 2009, 08:50:08 PM »
Do you mean to use remove Combofix http://www.bleepingcomputer.com/forums/topic114269.html
you mentioned previously?  That may not work at all now because it does not have a file extension except the renaming I did as.xxx.
Previously it was "ComboFix/n.pif " now it is just "ComboFix.xxx".  Do you think I should try to rename it to n.pif and see if it will execute?



micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #25 on: July 08, 2009, 09:14:54 PM »
I would  'try' the removal method.However, I would not worry too much at this point, about Combofix or any folders its created. They are  not the main concern. Your main concern is any malware still on your pc and the fact Avast is not working correctly.
« Last Edit: July 08, 2009, 09:27:06 PM by micky77 »

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #26 on: July 09, 2009, 03:28:54 PM »
I disagree with what you deem as my main concern because if Windows Explorer for some reason now reads the "ComboFix" "Folder" as having the same attributes as "My Computer" and it is recursive for at least 3 levels down ... i fear the loss of much more than just one folder.  Remember, once it starts to delete everything, I can't stop it.  Even if I power off the damage to FAT tables etc. already inflicted by the delete action may be unrecoverable.  Does anyone know how to change the attributes of a folder back to a file?

By the way, the removal method recommended is to run ComboFix from the"Run box" with "Combofix /u".  I don't think it will run when it appears as a folder.  I will however give it a try.

Thanks,

Jay Gee
« Last Edit: July 09, 2009, 03:32:06 PM by Jaygee »

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #27 on: July 09, 2009, 04:18:40 PM »
I attached an external drive and copied the Combofix folder to verify what Windows Explorer saw in the folder.  As it copied over I saw that it was NOT going to delete everything in the system so I then deleted the folder from the C: drive.  I was doing some research on TR/Crypt.XPACK.Gen to see what registry entries or changes it may have made that are keeping some functions from working in WIndows.  I ran across "eXterminate IT!", downloaded it and ran it.  The trial version will only detect and not remove any malware but it found c:\WIndows\PEV.exe, a Trojan with a Malware name of "Games Thief"  A Google search yielded a site called prevx.com at the top and their site says this is also known as PEV.CFEXE, VFIND.EXE, SUS.VFIND.EXE.SUS, DC1.EXE, 54212433.EXE, 11464626.EXE and has varying file sizes.  It was first seen in Mar 2009. Here is their list of behaviors for this.
File Behavior

PEV.EXE has been seen to perform the following behavior:

    * The Process is packed and/or encrypted using a software packing process
    * Executes a Process
    * Writes to another Process's Virtual Memory (Process Hijacking)
    * Uses low level functions to hide itself from the user and from system/security processes
    * Found on infected systems and resists interrogation by security products
    * The Process is polymorphic and can change its structure

PEV.EXE has been the subject of the following behavior:

    * Executed as a Process
    * Created as a process on disk
    * Terminated as a Process
    * Has code inserted into its Virtual Memory space by other programs
    * Deleted as a process from disk

I realize I may grabbing for straws but is this possibly the reason ashMaiSv is appearing in my task list 50 times?

How do I send this to AVAST?

Jay Gee

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #28 on: July 09, 2009, 04:35:29 PM »
I don't know if it is a possible reason for the multiple copies of ashMaiSv running but I would suggest sending this sample pev.exe to avast.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #29 on: July 09, 2009, 05:53:09 PM »
I'm very happy you sorted that folder out. Regarding Exterminate-it, I,m very wary of unknown programs that find threats, then want money to remove them.There site is not seen favourably by WOT http://www.mywot.com/en/scorecard/exterminate-it.com However please send Pev.exe to virus total. You could also upload wh.exe or wh.exe.xxx, to see what kind of virus it was.

If you wish here are some scanners that will remove malware

DrWeb Cureit ( standalone tool ) http://www.freedrweb.com/cureit/
Trend Micro online scanner http://housecall.trendmicro.com/

Also strongly recommended SAS http://www.superantispyware.com/

If you don't mind could you please download HijackThis and run it. A scan will take 10 seconds. Choose ' scan and save a logfile ' and copy/paste the txt log here.Thank you http://filehippo.com/download_hijackthis/