Hello, i am getting a fake windows security alert.What ever this is disabled control panel and avast is no longer running in task bar.Anyone have any ideas how to get rid of this?I used combo fix and now have control panel back.I have scanned with super anti spyware.Any ideas?
For the fake security alert, try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php.
What did SAS find ?
What avast processes are running in Task Manager, they begin with ash or asw, see image ?
http://img.photobucket.com/albums/v325/for-dwr/ashresources.gif
The control panel is a strange one but probably being blocked and possibly also blocked might be task manager, regedit and msconfig. What is it you are trying to access in the control panel ?
I suggest you test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster too.
Thanks i will try rogue remover.I ran combo fix so i do have control panel back but avast was taken out of my start up.
- Check the option in the Appearance tab of settings.
or - Repair your avast installation through Control Panel.
or - Make a link to ashdisp.exe in your startup folder
or - Add the path to ashDisp.exe into a value named avast! in the Windows Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
See picture here: http://forum.avast.com/index.php?topic=26155.msg213891#msg213891
If that does not help, please, uninstall, boot, install again, boot.
The most usual suspects for taking out the ashDisp.exe (avast icon and interface to settings, etc.).
What other security based software do you have that might block new startup entries, e.g. Spybot S&D (TeaTimer), AdAware (AdWatch), SpySweeper, Spyware Doctor (StartUpGuard or OnGuard), PrevX, WinPatrol, ProcessGuard, etc. ?
i think i have found out what i have.One of the start up items i have is called timoty.exe(vundo?).
i tried the two things you guys suggested but to no avail.i am unable to access add/remove programs to reinstall avast.any suggestions?
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:43, on 2007-11-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\timoty.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bobby\Desktop\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [froody] C:\WINDOWS\system32\timoty.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [Magnify] Magnify.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [froody] C:\WINDOWS\system32\timoty.exe (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [Magnify] Magnify.exe (User ‘Default user’)
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O17 - HKLM\System\CCS\Services\Tcpip..{A4B53E5F-4363-4266-9F43-50BE9AFA2EBB}: NameServer = 85.255.115.75,85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Bobby/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
–
End of file - 6323 bytes
Can you post this Registry key contents?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\don’t load
If all entries are listed there, your Control Panel will be empty… (don’t load)
If it looks like Vundo, SAS is usually quite good on Vundo detections, but there is also, the Vundo Fix Tool - Aliases - WinFixer / Virtumonde / Msevents / Trojan.vundo.
Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html
Your version of JAVA is very old, which doesn’t help in securing your system. Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://www.java.com/en/download/index.jsp
Or JRE version 6 update 3 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html
Your copy of HJT is also old, FileHippo Download - HiJackThis.
It is probably best not to have HJT on your desktop but in a folder of its own, download the latest version and disconnect from the internet, uninstall/remove your existing HJT and install the latest version, it should create its own folder.
You don’t appear to have an active firewall, your system is an open door.
Fix:
C:\WINDOWS\system32\timoty.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O4 - HKLM..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKUS\S-1-5-18..\Run: [froody] C:\WINDOWS\system32\timoty.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [froody] C:\WINDOWS\system32\timoty.exe (User ‘Default user’)
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
That is a start.
These two I’m not sure about but I’m suspicious
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
Hi David they are bad part of Virtumondo - latest version, might need a rootkit scan to clean them
we need the suspicious files… can you send them to virtotal and in case of positive results make an password protected archive and send it to virus[at]avast[dot]com?
Thanks Martin.
What do you think of the Startup: entries ?
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
@ rtate69
Based on what Martin said, here are some more tools as there may be hidden elements to this vundo infection.
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
Thanks for the help guys but,i went a head and did a fresh install of xp.I would like to know if avast has problems running with firewalls(which ones are ok).Again thanks for the quick responses.
A discussion on free firewalls can be found here.
http://forum.avast.com/index.php?topic=30808.0
They’ll all do the job, but zone alarm free is limited in user configuarability, so I’d pass one that one. Comodo is being used by many forum users with xp. It’s easy to set up and has a good help file.
It can be downloaded from
http://filehippo.com/download_comodo/
and a setup video tutorial here
I only mention the two firewalls above because it is the only 2 that I have any experience with
Regardless of which one you go with, the following avast components need internet access.
avast.setup
ashwebsrv.exe
ashmaisrv.exe
With XP I suggest: Comodo, ZoneAlarm, Kerio in this order.
With Vista I suggest: PCTools, ZoneAlarm, Comodo in this order.
I just installed Avast and it detected 45 infected files. I put all the issues in the chest because it would not repair them. Now my control panel button is gone. I want to uninstall Norton Antivirus so that Avast can run completely. I am also getting what I think is a bogus security alert. It says I have a Spyware operation running and that I should run a full scan to “pervent” any unauthorized access to my files. The “pervent” is what led me to think this was fake and I keep ignoring it. I’ve tried so many different things I don’t know up from down now. Any suggestions?
Hi David
What do you think of the Startup: entries ?
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
Methinks they should die, they are all variations on the virtumondo / smitfraud type trojans. They also affect the Authorisation settings of the system and they are tenacious, not the files above but the friends that they invite in
I do think they should go as I though them suspicious back in http://forum.avast.com/index.php?topic=31664.msg263931#msg263931, this was mainly based on I hadn’t seen them in HJT logs up to that point and I couldn’t see why a user would need these settings to be startup and global. Other than they would be a very handy way of having some actions carried out for malware, Virtumondo as you mentioned back then also.
I would hope rtate69 would have fixed them based on my suspicions and your confirmation of virtumondo, back in Nov 24th. Unfortunately rtate69 decided to do a fresh install of XP on Nov 25th so we weren’t able to do any further investigation (VirusTotal, etc.).
This should get rid of some of.
Download superantispyware
Open and update SAS (superantispyware)
Then boot into safe mode
Open SAS and set up as follows
Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.
Under Scanner Options make sure the following are checked
CHECK ALL THE BOXES
Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.
When the scan is done, quarentine everything found . Reboot if asked. You can post/attach the log in your next reply if you wish.
Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.