Author Topic: Multiple instances of AVAST modules in Taskmgr  (Read 30099 times)

0 Members and 1 Guest are viewing this topic.

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #30 on: July 09, 2009, 06:06:59 PM »
Okay, here is the link to the Virus Total permalink ... the file was named PEV.xxexexx when I uploaded it.
I had booted into windows in safe mode and moved the file from it's original location in C:\Windows to c:\Program Files\Alwil Software and changed the extension to xxexexx.  I thought that would make it available to move to the chest and send to AVAST but the chest is READ only and I cannot change it for obvious reasons.  Also, when I try to add it to the chest the ADD is greyed out.  I did email it to virus@avast.com as instructed.

I am emailing files.zip.xxx, formerly files.zip and wh.exe.xxx to virus@avast.com with a reference to this forum topic.

I uninstalled AVAST again today and reinstalled it after the above mentioned bad guys were renamed and I still have the 50 instances of ashMaiSv and ashWebSv.

Thanks for your replies,

Jay Gee

micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #31 on: July 09, 2009, 06:36:29 PM »
Can you post the Virustotal results for wh.exe.xxx

I think Pev.exe is from Combofix, sorry http://forums.majorgeeks.com/showpost.php?s=3df47d211052f014e8b085ce8199ae0d&p=1349259&postcount=4

Can you post the HJT log ?
« Last Edit: July 09, 2009, 06:53:30 PM by micky77 »

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #32 on: July 09, 2009, 06:57:20 PM »
See the Virus Total report here for wh.exe.xxx
http://www.virustotal.com/analisis/936d276fbcebbc0e2cd686636f8bd208206750245bfcf8adfd30a08a53298cb4-1247156325
 
 
See the Virust Total report here for files.xxx.zip
http://www.virustotal.com/analisis/d892d9e42930861aebda760eea290250b763e27dd5d86d607a926414b3b6f545-1247156756
 

I was browsing around c:\Windows and found the following files that were all created on my system on 20090707 at 9:52 am, just 2 days ago ... these make me nervous and I am trying to research them now.  I deleted them to the recycle bin for now.

NIRCMD.exe
sed.exe
SWREG.exe
SWSC.exe
SWXCACLS.exe
zip.exe
grep.exe


Any input would be appreciated.

Thanks,

Jay Gee

micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #33 on: July 09, 2009, 07:05:26 PM »
This is getting silly, NIRCMD.exe is from Combofix ,swxcacls.exe is from smitfraudfix,  swreg.exe is from sdfix,( as is grep.exe ) etc etc. It would be best if you let anti malware scanners, do the job for you.

Actually I'm done here, best of luck

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #34 on: July 09, 2009, 07:17:06 PM »
I appreciate your position and I truly appreciate all your guidance throughout this mess.  I have been using Virus Total to check some of these files and 3 of them are reported as suspicious especially NIRCMD.
My point is that different malware scanners see things differently and I don't know which one(s) to trust.

I have not had the chance yet to download HJT but will later and then send the report. 

Please understand that I am not trying to be a pain ... I am only trying to get rid of any malware and to get AVAST to work with only one copy of the aforementioned modules running at a time.  Believe me I am just as frustrated with this problem as you are frustrated with me.

I apologize if I have somehow rubbed you the wrong way.

Thanks,

Jay Gee

micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #35 on: July 09, 2009, 07:34:58 PM »
You have absolutely nothing to apologise for. You have obviously been running many anti malware tools, some of which other programs, see as malicious.( as you, and I, have learned, with Combofix and Avira) I wish I was more qualified to help you, I hope you sort your problem out.

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #36 on: July 09, 2009, 07:42:57 PM »
When I discovered the files you say are part of Combofix I also discovered a file that was created at the same instant as the wh.exe and the files.zip that we discussed earlier.  The file is named 715219c8b97e6ab3972c8ff73348b4c1 and 15 minutes ago it was 0kb.  Now it is 2kb.  I cannot delete it because it is in use by another user or process.


I just tried to post the HJT log but it exceeds 10000 characters so I will have to break it into two pieces.

Here is the first part:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:33 PM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\aloha\FTP\alohas.exe
d:\Aloha\vbo\bin_10.1.77.777\ATDDB.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Aloha\bin\Ctlsvr.EXE
C:\Program Files\DynDNS Updater\DynUpSvc.exe
d:\Aloha\bin\Edcsvr.EXE
d:\Aloha\vbo\bin_10.1.77.777\GCLegacy.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
D:\aloha\ftp\PollCheck.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
D:\Aloha\vbo\BIN_10~1.777\HRSocket.exe
D:\Aloha\vbo\BIN_10~1.777\VBODiag.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Part two to follow.

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #37 on: July 09, 2009, 07:44:24 PM »
Part two.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=0&siteState=ver%3a4%7crt%3aSTANDARD%7cac%3aWS%7cat%3aSNS%7cld%3awebmail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aAOL%7csnt%3aScreenName&offerId=mail-second-en-us&seamless=novl&xchk=false
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exxe
O4 - HKLM\..\Run: [WinVNC] "d:\Aloha\rdf\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HRSocket] d:\Aloha\vbo\BIN_10~1.777\HRSocket.exe
O4 - HKLM\..\Run: [VBODiag] d:\Aloha\vbo\BIN_10~1.777\VBODiag.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DynDNS Updater Tray Icon.lnk = C:\Program Files\DynDNS Updater\DynTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D855CE2-0433-4364-849B-41DBBD5D2CE1}: NameServer = 209.84.253.11,209.84.253.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = eagletel.us
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D855CE2-0433-4364-849B-41DBBD5D2CE1}: NameServer = 209.84.253.11,209.84.253.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = eagletel.us
O23 - Service: AlohaFTP (ALOHA) - Ibertech, Inc. - D:\aloha\FTP\alohas.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Aloha Durable Messaging Service (ATDDB) - Radiant Systems - d:\Aloha\vbo\bin_10.1.77.777\ATDDB.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CtlSvr - Radiant Systems, Inc. - d:\Aloha\bin\Ctlsvr.EXE
O23 - Service: DataSvr - Unknown owner - C:\Program Files\Wave Systems Corp\Common\DataServer.exe (file missing)
O23 - Service: DynDNS Updater - Dynamic Network Services, Inc. - C:\Program Files\DynDNS Updater\DynUpSvc.exe
O23 - Service: EdcSvr - Radiant Systems, Inc. - d:\Aloha\bin\Edcsvr.EXE
O23 - Service: Aloha GC Legacy Interface (GCLegacy) - Radiant Systems - d:\Aloha\vbo\bin_10.1.77.777\GCLegacy.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Radiant Heartbeat (PollCheck) - Radiant Systems - D:\aloha\ftp\PollCheck.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - d:\Aloha\rdf\WinVNC.exe

--
End of file - 14103 bytes

micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #38 on: July 09, 2009, 08:55:06 PM »
You seem to have several instances of Norton/Symantec AV running on your pc, DavidR mentioned this first off. Did you run the removal tool he suggested http://forum.avast.com/index.php?topic=46553.msg391316#msg391316
Are you running two AV's ?
« Last Edit: July 09, 2009, 09:09:11 PM by micky77 »

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #39 on: July 10, 2009, 02:30:14 AM »
The tool that was suggested required the knowledge of what version of Norton/Symantec had been installed.  I do not recall what version or even what year exactly it was removed.  The remnants are not really remnants.  The CCAPP is common code for symantec applications that are still installed, ie: Ghost for automatic backups, liveupdate for all symantec products and pcAnywhere.

The file I pointed out earlier c:\Windows\715219c8b97e6ab3972c8ff73348b4c1 (no extension) appears to be intercepting/capturing credit card transaction information from the Point of Sale system into the above named file, hence it grows as the day progresses, and saving the file once a day at exactly 10:00 am (the next morning) as .txt files in c:\Windows.  I found one for each day beginning on July 1, the date that wh.exe first appeared.  The July 1 file had no data in it because the POS/credit card app was not running when the wh.exe arrived at 1:03 am.  Every day since it has saved the files as S20090702.txt, S20090703.txt etc. and the file attributes are "System and Hidden".  The POS application does not save any files to C:\Windows.  In fact, all it's data is on another physical drive.

Each transaction has a transaction number, terminal number, "HLD", CC number, Exp date, and amount. 
Each as a line of text in a text file format.  I was able to open the file with notepad.
Perhaps the hacker knows something about the POS software and is searching for the HLD character sequence!

Any more assistance is greatly appreciated.

Thanks,

Jay Gee

We are now officially in  panic mode to stop this.  Will be back on it in 11.5 hours from now.

micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #40 on: July 10, 2009, 12:13:27 PM »
I would run the Norton removal tool, regardless of what version you had. You initially said Avast removed 3 trojan related finds, MBAM removed a backdoor bot,Avira removed wh.exe ( we still do not know how serious that was ) You still report suspicious activity, and use the pc for business.
All i can suggest you try more scanners,( scanning any external drives too ) and report any findings.

If I was in your position, I would not hesitate, to restore the pc to a clean image.If you have one, I assume you have, ( norton ghost )  pre July 1, the date that wh.exe first appeared

Here are a list of various scanners, some will find and report parts of the un-removed combofix, and possibly the other tools you used ( sdfix, etc )

Anti virus scanners http://housecall.trendmicro.com/

                          http://www.freedrweb.com/

                          http://www.kaspersky.co.uk/virusscanner ( will not remove malware )

                          http://www.eset.com/onlinescan/

Anti Spyware         http://www.superantispyware.com/

Anti rootkit           http://filehippo.com/download_rootkit_revealer/ ( Does not remove )

                          http://majorgeeks.com/Sophos_Anti-Rootkit_d5238.html

                          http://www.trendmicro.com/ftp/products/rootkitbuster/RootkitBuster_2.52.1013.zip

                          
« Last Edit: July 10, 2009, 12:38:26 PM by micky77 »

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #41 on: July 10, 2009, 09:49:14 PM »
It took me 7 1/2 hours but today I downloaded SysInternalsSuite at  http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
 and with the ProcMon program was able to isolate that c:\Windows\715219c8b97e6ab3972c8ff73348b4c1
was being updated everytime a Credit Card transaction was processed by a module called ramsys32.sys.  I could not find it a reference to it anywhere by a Google search so I moved it to another folder from C:\Windows\system32.  Subsequently, I saw a module in the Process Tab of ProcMon that referred to another .sys file that did not exist in the folder it pointed to.  However, in browsing the referenced folder I found another module called catchme.sys.  This booger WAS found in a Google search.  I ran it through Virus Total and only McAfee had anything to say about it.

McAfee-GW-Edition     6.8.5     2009.07.10     Heuristic.BehavesLike.Win32.Rootkit.L

I moved it to another folder and rebooted.  Suddenly everything seems fine.

The c:\Windows\715219c8b97e6ab3972c8ff73348b4c1 has not come back or appeared with another name of similar length and attributes.  Also, none of the processes in the taskmgr list say User Name Unknown.

While this monster was residing in the system no one was able to login via RDP and suddenly we can again.

Lastly, Norton Ghost was reporting that the trial period had expired.  We have a paid subscription that suddenly is "not expired" anymore.

I just reinstalled AVAST and I no longer have multiple instances of ashMaiSv and ashWebSv running much less 50.

Thanks to micky77 for patience and all the assistance.

Regards,

Jay Gee
« Last Edit: July 10, 2009, 10:04:33 PM by Jaygee »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #42 on: July 10, 2009, 10:26:21 PM »
If you moved it to a different folder and avast doesn't detect it then you should send the sample to avast to improve detections.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

micky77

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #43 on: July 11, 2009, 12:02:38 AM »
I just reinstalled AVAST and I no longer have multiple instances of ashMaiSv and ashWebSv running much less 50.

I'm so glad you sorted your problem out, well done to you. Hope you have no further problems. If i get a problem with my pc, I'm coming to you for help  :)

Jaygee

  • Guest
Re: Multiple instances of AVAST modules in Taskmgr
« Reply #44 on: July 11, 2009, 02:15:18 AM »
David R,

I did send the rascals to AVAST via email and the chest.

Micky77,

If nothing else I am very persistent and can't stand it that people out there feel some sense of joy or some twisted satisfaction from doing this type of thing to others.

What ever happened to "Do unto others as you would have them do unto you?"

Regards,

Jay Gee