nothing detected but lots of probs

I’ve had a few problems recently that lead me to believe there’s a virus / worm on my computer, but nothings been found yet;

  1. computer is running slower than usual, especially windows media player (video is always jerky for example)

  2. computer randomly shuts down - e.g. I’ll be using the computer (browsing the internet, watching a movie, doesn’t seem to be process specific) and then without warning the computer shuts down (no windows shut down screen, it just goes black). I’ve noticed when I try to run spybot it always shut down in the middle of a scan (maybe triggered by the malware being detected??)

I’ve run a boottime scan with AVAST, which didn’t detect any errors. Microsoft Antispyware didn’t detect anything bad. Hijackthis analysis was fine also.

Also, for some reason my Avast on-going protection (the one that runs in the sys tray) has disappeared but I don’t know how to bring it back.

I’m running Windows XP, SP2.
Zone Alarm Firewall, Avast 4.6 VPS 0541-1

Does anyone have any ideas on what I should do? It seems likely to me that I’ve got some kind of malware on my computer, but I don’t have any definitive proof yet

thanks for any help

Could you post a recent HijackThis! log in full please?

we really need details rather than just symptoms
, give us a rundown of your system and how long its been installed? are all the cleanable areas (temps)clean?
have you recently done a defrag?
you can check if resident sheild is working in task manager (cntl,alt,del) look for 4 avast related processes.
try running spybot in safe mode.

EDIT: I made 2 posts sorry guys but it happens sometimes ;D Just read below

Sounds more like overheating problem to me, can you check your temperatures?

EDIT:I just saw you have ZA installed, do you have the latest one? Cause some users here reported similar problems since the newest ZA update, aparently going with the previous version solves alot of problems…Just a thought :wink:

Thanks

Mikey

thanks very much for your help

I’m on a business trip and don’t have access to my local PC, but when I get back will post a hijackthis log and other details

thanks again

Hi guys, I’m back.

Before I post the hijack this log, can anyone tell me how to get avast in the sys tray and starting up with Windows again? It doesn’t seem to be doing it …

BTW, my zone alarm is a new-ish version:
ZoneAlarm version:6.0.667.000
TrueVector version:6.0.667.000
Driver version:6.0.667.000

I’ve defragged recently, using executive diskeeper.

Below is the hijackthis log - I anaylsed it online, and it looks ok. Although the “file missing” messages next to the avast processes are a bit disconcerting.

any help much appreciated

How do I check my temperatures?

Logfile of HijackThis v1.99.1
Scan saved at 12:32:54 p.m., on 22/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Stefan C\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [FreeRAM XP] “C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe” -win
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip..{0BC8FDB1-D560-44AE-8AAB-0777F0EA4B5E}: NameServer = 203.109.252.42 203.109.252.43
O17 - HKLM\System\CS1\Services\Tcpip..{0BC8FDB1-D560-44AE-8AAB-0777F0EA4B5E}: NameServer = 203.109.252.42 203.109.252.43
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

It should be automatically. How avast! services are set to start?
Control Panel > Administrative Tools > Services

I suppose you have to have four avast! services:

C:\Program Files\Alwil Software\Avast4\ashServ.exe (avast! antivirus service)
C:\Program Files\Alwil Software\Avast4\ashUpdSv.exe (avast! Update Service)
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (avast! Web Scanner service)
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (avast! e-Mail Scanner service)

The two first of them should be Automatic loaded and the last two, Manually loaded.

If you run C:\Program Files\Alwil Software\Avast4\ashdisp.exe
what do you get?

Did you use Kaspersky?
See: http://forum.avast.com/index.php?topic=12079.15
KAV removal tool: http://www.ice-kav.com/utilities.php
http://www.ice-kav.com/downloads/util/KAV_Registry_Clean.zip

I ran spybot and trojan hunter in safe mode - nothing detected.

I then ran Kapersky’s online scanner (not in safe mode obviously) - part of the way through the scan my computer shut down.

Quite suspicious really …

BTW the avast services that don’t appear in the systray do load up when I double click on ashdisp.exe

I’ve just done another boot time scan, and it says that:

c:\windows\system32\winlogon.exe is infected with Win32:Rbot-Ang [Trj]

I try to select repair but it says “error 42060”

I’m worried that deleting the file will cause major problems, given the file is in the system directory … any suggestions?

Winlogon.exe seems to be legit when in System32.

You could submit the file to Jotti’s multi AV scanner to check for a false positive:

http://virusscan.jotti.org/

It can be part of Netsky.D, but not in this location. It might also be worth running the removal tools from Symantec and Sophos just for confirmation:

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.d@mm.html

http://www.sophos.com/support/disinfection/netskyb.html

Seems somebody else had the same problem:

http://www.help2go.com/postt16179.html

(No mention of which AV identified the file.)

Final edit:

Just checked my own winlogon.exe and there’s no false positive from avast! or any of the Jotti scanners. Try submitting yours to Jotti and lets see what comes up. Don’t delete the file, because you won’t be able to log in to XP.

You mean the ‘icon’ (not the services)? Bad…
Are you sure KAV was completely uninstalled? And NAV, did you use it?

I see you are using a memory manager. I suggest to remove it.
They only use memory theirselfs and do nothing that the OS already is doing.

(This posting is now obsolete as it refered to the previous posting which has now been entirely changed.)

In its place, here is a picture:

http://donaldbroatch.users.btopenworld.com/fruit.jpg

:slight_smile: Stefanz :

  I would suggest you install Ewido from www.ewido.net/en.
  This good & FREE program "specializes" in the detection
  and removal of trojans, worms, dialers, etc .

If computer shutting down randomly so it can be hardware problem too.
Go in bios → pc-health → change/enable temperature warning to 46C or 50C
Go in bios → advanced chipset features → enable S.M.A.R.T.

Go in failsafe mode and wait in few hours if nothing happens so it is malware.
Use few different antivirus cleaning tools. that was recommended above.
And also some online-scanners.

Here one article…
http://apnews.myway.com/article/20050819/D8C2RE000.html

Hi guys … back again,

The file that is apparently infected is c:/windows/system32/winlogon.exe

I wanted to submit it to the jotti file check website, but could not even find the file; in fact I can’t even see the System32 folder, which is very odd.

Not being able to view/find such an important folder is strange /…

C:\WINDOWS\system32\winlogon.exe should/could be a legit file… be careful and have your XP CD at hand…

Are you showing hidden files and folders?
To unhide them, open any folder and go to Tools >folder options > View, then scroll down to where it says ‘Hidden files and folders’ and then check/tick the ‘Show hidden files and folders’.

yep, I do have view all files selected, and I can see plenty of folders in the windows directory, but not the system32 one - it’s as if the malware is hiding that folder.

When I do a search for the file winlogon, the only search results that appear are:

winlogon.exe in c:\i386

winlogon.exe in C:\WINDOWS$NtServicePackUninstall$

WINLOGON.EXE-0957F9B2.pf in C:\WINDOWS\Prefetch

winlogon.exe in C:\WINDOWS\ServicePackFiles\i386

Hi Stefanz,

There’s a solution for your problem here. (Penultimate posting.)

http://www.geekstogo.com/forum/index.php?act=ST&f=5&t=29093

Hopefully, this will allow you to see System32 again and submit the file to Jotti.

However, I suspect that stealth malware may be at work here. I suggest you try F-Secure’s BlackLight and also UnHackMe:

http://www.f-secure.com/blacklight/

http://www.greatis.com/unhackme/