Multiple instances of AVAST modules in Taskmgr

I have 50 instances of ashMaiSv.exe and 50 instances of ashWebSv.exe listed in Windows Task Manager. They range in size from 1,272k to 3,052k for ashMaiSv.exe and 1,536k to 3,580k for ashWebSv.exe. When I first saw them propagating I was worried that they would eventually eat up all the memory and the system would lock up but when the count reached 50 they/it stopped propagating. BTW there are 4 or 5 different sizes for each of the modules in question. Does anyone have an idea why this would happen?

Thanks in advance,

Jay Gee

The installation isn’t correct. There should only be one occurrence of the avast processes in task manager, see image.

Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?
What other security software do you have installed ?

I would suggest a clean reinstall (answer the other AV question):
Download the latest version of avast http://www.avast.com/eng/download-avast-home.html and save it to your HDD, somewhere you can find it again. Use that when you reinstall. Ensure that you scroll down and select the avast direct download link for the English version and not Cnet as that is for an on-line installation (not what you want to do).

Download the avast! Uninstall Utility, find it here and save it to your HDD.

    1. Now uninstall (using add remove programs, if you can’t do that start from the next step), reboot.- 2. run the avast! Uninstall Utility, reboot. If step 1 failed it may be necessary to run this from safe mode, once complete reboot into normal mode.- 3. install the latest version, reboot.

Thanks for the reply.
2 years ago we dropped Norton/Symantec AV and went with Avast. We used the uninstall that came with Norton. We have been running Avast since and never had a problem. We also noticed that in the taskmgr list it says the user is “unknown” for nearly every task. A few say “System”. I ran a virus scan with Avast of the windows folder and subs and found three modules that were all part of a Trojan according to Avast. We deleted them and rebooted but still have the multiple instances of the 2 Avast modules. We don;t use Outlook for email so we terminated that in Avast and I thought the ashMaiSv would go away from the task list but it did not.

I will follow your suggestion and I will do a complete scan of the system at boot time to make sure there is no malware around. Hopefully this will clear up our misfortunes.

Thanks again,

Jay Gee

Download this program,(free) install, update,and run a quick scan, please copy/paste the results.Thank you http://filehippo.com/download_malwarebytes_anti_malware/

Whilst it has been a long time since you had Norton/Symantec it may still be worth running this tool. Though it is more for confirmation than anything.

A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

Run MBAM as suggested and post the results.

Can you try an installation from the scratch?

  1. Uninstall avast from Control Panel first.
  2. Boot.
  3. Download the latest version of Avast Uninstall and use it for complete uninstallation. If, for any reason, you can’t run it, try booting in Safe Mode and doing it from there.
  4. Boot.
  5. Download, save and install the latest avast! version. It will be good to accept the boot time scanning on next boot.
  6. Boot.
  7. Check and post the results.

I am going to go through the recommendations today but I first checked the Taskmgr list and found that the 50 instances are still there but the sizes have changed. Today the ashMaiSv is ranging from 360k to 620k and ashWebSv is ranging from 376k to 648k; much smaller than 2 days ago. No one has rebooted in between times and system seems stable.

Will post results later.

Sizes aren’t going to remain the same as it is based on working memory, which is obviously going to change.

I finished the recommended steps and just rebooted about 10 min ago. So far I only have 18 instances (just checked again after starting IE8 and it is now up to 23 instances of each module, ashMaiSv and ashWebSv.) I guess the problem is not solved and the number of instances will continue to increase. Hopefully it will stop at 50 again. The memory usage is higher again; ashMaiSv is 3044k to 3100k and ashWebSv is 3516k to 3556k. (Just for grins I just checked again and while typing the above the count has increased to 29.) :-[

By the way, during the boottime scan there was one module infected.

Initialization of Chest files

Program will try to load all Chest files from the following server: (null)
FileID: 0000000001 Original file name: C:\Documents and Settings\Aloha\Local Settings\Temporary Internet Files\Content.IE5\K59KSU0F\antvrs.exe File category: 1
FileID: 0000000002 Original file name: C:\WINDOWS\system32\kernel32.dll File category: 0
FileID: 0000000003 Original file name: C:\WINDOWS\system32\winsock.dll File category: 0
FileID: 0000000004 Original file name: C:\WINDOWS\system32\wsock32.dll File category: 0

Action was completed successfully!

Explorer is showing all hidden and system files yet C:\Documents and Settings\Aloha\Local Settings\Temporary Internet Files

Does not appear when I open explorer. It only shoes “Application Data” and “Temp” under Local Settings.

Any thoughts??

Thanks in advance

Jay Gee

It is now 45-50 minutes later and the count has reached 50 and holding. I am curious (yet grateful) as to why the count stops at 50 instances for each module. If I wanted to shut down each of these modules under normal circumstances (ie only one of each) where would I go in AVAST to do that?

I am also looking to solve another “problem?”
In taskmgr the “User Name” is “unknown” for all but a couple of tasks that say “SYSTEM”

I have searched Google and everything that is even close is from 2005 and before and doesn’t exactly match my problem.

Thanks for any insights anyone can pass on.

Jay Gee

Have you run the program I suggested earlier ?
antvrs.exe is from AV2008 a nasty bit of work.I assume you have already removed this program

To All,

Here are the results of the MBAM scan. YES it did find some remnants of the AV2008 that we fought a while back.

If this virus/trojan/malware is so old why doesn’t AVAST find it?

========================================================================
Malwarebytes’ Anti-Malware 1.38
Database version: 2379
Windows 5.1.2600 Service Pack 3

7/6/2009 9:56:30 AM
mbam-log-2009-07-06 (09-56-18).txt

Scan type: Quick Scan
Objects scanned: 123691
Time elapsed: 10 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.

Folders Infected:
c:\documents and settings\Aloha\Application Data\AntiVirus (Rogue.AntiVirus2008) → No action taken.

Files Infected:
c:\documents and settings\Aloha\application data\antivirus\antvrs.exe (Rogue.AntiVirus2008) → No action taken.
C:\WINDOWS\system32\win32.exe (Backdoor.Bot) → No action taken.
C:\WINDOWS\system32\iaxcfg32.dll (Trojan.Agent) → No action taken.

Maybe the newest version of AVAST will catch more!

Thanks for your help. At this point I haven’t removed the selected items. I will do so and reboot to see how we make out.

.
.

Yes you should run MBAM again and allow it to remove them.

However, before you do send samples to avast to improve detection.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Sorry.
I already removed the items and re-booted before I saw your latest post.
Still getting multiple instances of ashMaiSv and ashWebSv
Any additional ideas will be much appreciated.

Thanks,

Jay Gee

I think you have a serious threat somewhere,possibly a rootkit. I would run one, if not both, of the following.

http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I am not very familiar in the use of Combofix, but it is a very powerful, and useful program.

Using AVAST I terminated the web shield and the Outlook/Exchange modules and then rebooted. I thought that would keep ashMaiSv and ashWebSv from running. It did stop ashWebSv from running but ashMaiSv is still running 50 instances and there is no instance of ashWebSv running. Microsoft Security Center reports that “avast! antivirus 4.8.1335[VPS 090706-0]” is turned off yet taskmgr shows ashDisp.exe, 50 copies of ashMaiSv.exe, ashServ.exe and aswUpdSv.exe all running.

I tired to install combofix per a previous suggestion and, at the time it could not set a restore point so I terminated it for now. I will restart the System Restore and try again.

Thanks for all the great suggestions and support found here.

Jay Gee

Try the rescue cd, its scans your system without booting windows. It does not create a log, I think you would have to write down anything it finds

I must say … I was overtaken by a sense of having been coerced into downloading some awful program and destroying my system when I clicked on the Thumbnail on the Avira Web page and a popup got past Firefox. That popup was about an evil looking game of some sort. It opened another Firefox tab and left it open but I was quick to close it out of fear. I must say I was EXTREMELY reluctant to boot their CD after I saw that. Then when I booted the Avira CD another evil looking cartoonish character appeared in the upper left corner of the screen. Nonetheless I did boot up and after about 10 seconds the evil little character disappeared. This is not a good way for Avira to give a very comfortable feeling about their product(s).

I have transcribed all of the information on the Avira screen below.
Below that are a couple of concerns that I have.

========================================
Items found by Avira Rescue CD:

/media/Devices/sda1/ComboFix/n.pif
ALERT: [HIDDENEXT/Crypted] /media/Devices/sda1/ComboFix/n.pif <<< The file contains an executable.
This however, is disguised by a harmless file extension (HIDDENEXT/Crypted) not removable
file renamed. (Avira did not say to what it was renamed.)

/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files/Content.IE5/OTE30PE3/horoscopes[1].css
WARNING: archive not completely scanned: contents exceed 191397888 bytes
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files/Content.IE5/SI058REH/CADFBH79
WARNING: archive not completely scanned: contents exceed 191397888 bytes

/media/Devices/sda1/TEMP/ComboFix.exe
ALERT: [HIDDENEXT/Crypted] /media/Devices/sda1/TEMP/ComboFix.exe → 32788R22FWJFW\n.pif <<< The file contains an executable.
This however, is disguised by a harmless file extension (HIDDENEXT/Crypted) not removable
file renamed. (Again, Avira did not say to what it was renamed.)

archive: /media/Devices/sda1/WINDOWS/system32/files.zip → loader.exe extract error )ALL files in archive are encrypted.)
/media/Devices/sda1/WINDOWS/system32/files.zip
WARNING: archive not completely scanned: contents encrypted

/media/Devices/sda1/WINDOWS/system32/wh.exe
ALERT: [TR/Crypt.XPACK.Gen] /media/Devices/sda1/WINDOWS/system32/wh.exe <<< Is the Trojan horse TR/Crypt.XPACK.Gen
not removable
file renamed.
------ scan results ------
directories 14339
files: 689228
alerts: 3
suspicious: 0
repaired: 0
deleted: 0
renamed: 0
quarantined: 0
Warnings: 3
scan time:00:59:12

========================================

Do I need to be concerned about the two warnings where the files were supposedly too large to completely scan?
Personally I doubt that /…Local Settings/Temporary Internet Files/Content.IE5/OTE30PE3/horoscopes[1].css is greater than 191397888 bytes.
What about the archive that was not completely scanned because it was encrypted?

After rebooting I looked for the above items to see to what they had been renamed.
The first item /media/Devices/sda1/ComboFix/n.pif appears that Avira removed the “/n.pif” and it now appears as a folder in the root of the C:Drive with the same icon as “My Computer”. When I click on the “plus” (+) next to it it opens up and appears the same as “My Computer” with the entire hierarchy down to but not including “My Network Places”. I am afraid if I delete it it will wipe out my entire hard drive.

The second item:
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files/Content.IE5/OTE30PE3/horoscopes[1].css

is damaged also in that the hierarchy goes as far as
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files
then there is no Content.IE5 or anything below that.
When I right-click on Temporary Internet Files and click properties it reports that it is 432mb with 14,523 files AND 24 folders but I cannot see the folders. When I look at the files alphabetically the Content.IE5 is not in the list as a folder or otherwise.
Needless to say I cannot find the horoscope file or the other file?folder.

ALERT: [HIDDENEXT/Crypted] /media/Devices/sda1/TEMP/ComboFix.exe → 32788R22FWJFW\n.pif
was found in the TEMP folder of the C:Drive (sda1) renamed to ComboFix.exe.XXX

archive: /media/Devices/sda1/WINDOWS/system32/files.zip
this file is dated 7/1/2009 at 1:03 AM and is only 20KB
I manually renamed it to files.xxx.zip.

ALERT: [TR/Crypt.XPACK.Gen] /media/Devices/sda1/WINDOWS/system32/wh.exe <<< Is the Trojan horse TR/Crypt.XPACK.Gen
This file was renamed to wh.exe.XXX and is dated 7/1/2009 at 1:03 AM and is 34KB
Obviously these two are related since they are dated the same and timestamped the same.

My biggest concern is with the ComboFix file/folder/My Computer or whatever it is.
The properties say it is 6.56 mb, contains 197 files and 1 folder.
I feel somewhat that it may be the ComboFix I downloaded yesterday and it gave a “false positive” to Avira.
BUT what do I do with it now?

By the way, I still have 50 instances of ashMaiSv.exe and NO instances of ashWebSv.exe.

When I restart avast detected an unauthorized modification to ashDisp and I was asked if i wanted to run it anyway.
I said no and thus, ashDisp is not running but ashMaiSv has 21 instances running in the first 5 minutes. Also, ashServ and aswUpdSv are running but no other ash modules.

Should I uninstall and reinstall AVAST again?

One piece of good news is that I no longer get the message that I am not authorized to shutdown or restart windows.

Thanks,

Jay Gee

Please do not worry about the game pop up, , its harmless. The second cartoon character, was possibly the linux penguin. I did not realise, but Avira does see Combofix as malicious.Its a heuristic find. Recommending, having both at the same time was a mistake, apologies.I would remove Combofix http://www.bleepingcomputer.com/forums/topic114269.html
Regarding the unexplained 6.56 mb, folder. What is in that folder ? Did you actually run Combofix,it could be back up files.
As for all those temp files, you could run Ccleaner http://filehippo.com/download_ccleaner/ Do not install the Yahoo toolbar ( optional )
Regarding wh.exe, I’m not sure how serious a threat that was, prevx says system backdoor, others say adware. With what MBAM found ( C:\WINDOWS\system32\win32.exe (Backdoor.Bot) ) plus the AV2008, you seem to have had some bad stuff on board.
Personally I ‘would’ reinstall Avast, however, Its just my opinion, you still have something nasty lurking . Thats my opinion only