Please Help!

AleKx, if avast is completely and correctly uninstalled, there should be no process running, no files left behind… nothing. What I see from your posts is that you’re complaining about a bad uninstalled software.

avast does not phone home… something is infected in your computer.

Tech you’re kidding right?

Again, had you read my post, the current update is yes, we all think I have a virus.

Your first post was, did you reboot after uninstalling? and you were behind on that one. Now we’re at the part where we’re all 99% sure I have a virus. Regardless of the outcome, I’m glad my concerns were not in vain. I appreciate all the intput from all of you guys. You wouldn’t be taking the time to write if you didn’t want to help.

Finding out where it came from is the least of my worries. I’d like to find out how to remove it. The trojans name is Trojan.Win32.Patched.m (Again, read my posts)

I’ve tried a few programs but they only seem to point out that I have this virus, they won’t remove it like Avast! does with it’s trial. But Avast! didn’t detect it. Should I try AVG maybe?

This is an intreguing post. What P2P program do you use. Was it a freshdownload or from a backup after your reformat?

No. I can’t understand that a legit ashWebSv.exe or a legit ashMaiSv.exe files could be present in a computer without avast correctly uninstalled.

Your last two post gentlemen, are exactly what I’ve been trying to emphasize. I can’t imagine either. But the Netstat -ab report is there. I’m not wasting my time on forums with false Netstat reports. The IP was there and using that Avast! .exe, and it remained there and listened to epmap, microsoft-ds, netbios-ssn, etc and other process, with the SAME IP, even after uninstalling.

I will mention one last time how I uninstalled.

Initially I did it through Control Panel Add/Remove Programs, which seems to have worked fine. I REBOOTED after uninstalling.

Then I did the netstat and found it was still there, just this time, not using Avast’s Ashweb.exe or whatever the exe is called. But it was still listening. Same IP

Then I posted here and someone told me to run “aswclear.exe” - Avast!'s own uninstall program. Now, with basic experience, I’ve been taught that if somehow you’ve wrongly uninstalled a program, it’s best to re-install it if you can, before doing the “proper” uninstall. So I did. I re-installed avast, but this time, I uninstalled Avast! with aswclear.exe. I then REBOOTED.

I did netstat and the connections were using again, multiple DLL files and alg.exe and what not.

The trojan is called Trojan.Win32.Patched.m

Avast! didn’t catch it. Actually, according to netstat when Avast! was installed and running, the IP was attached to the files that Avast! used. (I could be completely wrong.)

The p2p program that I used was utorrent. I’ve been playing Unreal tournament and all it’s latest versions, ut2k3, ut2k4, UT3, since UT99, I’m currently making a movie and I had downloaded a bunch of oldschool UT movies that I could only find through torrents. I’ve learned a long time ago to keep my programs as legit as possible.

Could anyone suggest a program that is free that could remove this particular trojan ?

Guys I don’t think you have a virus or even spyware. It seems that when you have p2p software installed you are part of a network. This is what you are seeing. Avast won’t flag it, because it’s legit. Try uninstalling your p2p software and see if the traffic stops, remember also that infected software may use legit ISPs to cover their tracks and black listing the ISPs blocks the bad and the legit.

The following is from an article on About.com

A good definition of P2P software was proposed by Dave Winer of UserLand Software many years ago when P2P was first becoming mainstream. Dave suggests that P2P software applications include these seven key characteristics:
-the user interface runs outsides of a Web browser
-computers in the system can act as both clients and servers
-the software is easy to use and well-integrated
-the application includes tools to support users wanting to create content or add functionality
-the application makes connections with other users
-the application does something new or exciting
-the software supports “cross-network” protocols like SOAP or XML-RPC

It is supposed to be run ‘after’ the Add/Remove programs and only if needed (i.e., Add/Remove fails).

Has some issues with avast, I mean, avast with utorrent.

Tech I know how you might be thinking that I’m saying Avast is listening or trying to phone home with a Virus. Quite frankly, I don’t fully understand your hypothesis even after reading it multiple times. But I do know one thing, I’m not saying Avast! is part of the problem, or trying to phone home. I’m trying to help you help me, I’m not trying to be against you. Like I said in like 3 posts, I appreciate people who take the time to help.

I think I have a virus that Avast didnt detect. And possible, since the virus used files like winlogon.exe (or winlogin.exe) and that application uses such files as kernel32.DLL etc and other multiple DLL’s (It can take a few DLL’s for one .exe) then isn’t it possible that by by-passing avast, it’s a root-kit trojan or something? Avast! obviously did not detect, another program did. It’s recognised as a Trojan. The trojan used some files that Avast probly used as well to operate. That’s probly why I saw the ip using ashweb.exe

Now the things I know are

A) I have a virus, it’s called Trojan.Win32.Patched.m
B)Avast! didn’t detect it.
C)It’s highly likely that I got the virus from utorrent since I have only formatted 5 days ago.
D)If it is a network like you guys say, because that I have a P2P program installed, then it came with Trojan.Win32.Patched.m
E)I highly doubt that by uninstalling utorrent, that the Trojan will dissapear.
F)You guys are awesome for helping me. ;D

I’ll uninstall UTorrent and REBOOT and run netstat again, see if the SAME ip is still there using the same processes and dll files.

Also Tech, you say that Avast has issues with UTorrent, but Avast! didn’t detect anything when I ran UTorrent. It did detect something when I ran the OutPost Firewall though, I had to disable something. Funny that it would work for protection like a firewall, but not for a program proned to viruses like P2P UTorrent.

Let’s put Rifkin’s theory to the test: I’ll uninstall the P2P, he says the connections will dissapear

(Is it me or do people not read my posts? I’m infected with a trojan, avast didn’t detect it, you guys are giving me instructions on how to properly uninstall a program and telling me that if I uninstall the P2P the virus will go away and stop listening.)

Go ahead with what you are doing. Since you gave a name to the possible infection, I checked and one of the things it does is infect/replace winlogon.exe

So let’s see what we can discover about your copy.

Please submit these files for analysis

To submit a file to virustotal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

c:\windows\systems32\winlogon.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

To be honest the problem is solved. I simply need to find a spyware or anti-virus that will remove Trojan.Win32.Patched.m

Unfortunately I can’t use my Avast! that I paid for (I bought it, I don’t just use the free version), like all my other legit programs. I mention this because I see too many people cracking software and not buying the real versions. Hell you buy it once and it’s yours and you don’t have to worry about downloading full programs on malicious websites. You have the program, it’s clean, you’re good.

Sucks though, ironically enough I’ll probly end up finding a free program that removes specifically Trojan.Win32.Patched.m

Ok oldman, I will try that. Thank you.

This is my report from following your instructions:

MD5: 01c3346c241652f43aed8e2149881bfe
Date: 03.31.2008 06:17:30 (CET) [>4D]
Results: 0/32
Permalink: analisis/ed6726c2dfa5cc59ed62fb2c333dd8ef (here’s the link so you can view it: http://www.virustotal.com/analisis/ed6726c2dfa5cc59ed62fb2c333dd8ef )

from reading this, I’m assuming the MD5 is some type of identifier for winlogon.exe, the Date is self explanatory, and Results: show the number of infected files I assume?

Why then did Ghost Buster specifically detect c:\windows\system32\winlogin.exe as Trojan.Win32.Patched.m
?

I just figured out that the link you sent me used online scanners like nortan and symantec to scan a specific file, which is awesome. But then why would all these known anti-virus programs not detect it but Ghost Buster 5 will?

http://www.trojanwin32-patched-removal.com.removal-instructions.com/removeTrojanWin32Patched.html

The above link has manual removal and a special SpyHunter scanner download link. All free. Also some viruses, infect the antivirus first! So, they would detect it if they were not infected themselves. On-line virus scanners avoid this problem.

I uninstalled my P2P program UTorrent Rifkin, and I rebooted my pc. I also ran CCleaner and Registry Booster. I also cleaned my Temp files. I opened netstat and the same IP is still listening, still using netbios-ssn, epmap, microsoft-ds, and listening on specific ports.

Yes thank you Rifkin, I have already googled the Trojan name and found that link myself. I already have installed and tried SpyHunter. It detects nothing. Ghost Buster 5 does though, and it detects winlogon.exe specifically, COINCIDENTLY? using the same files that the IP constantly listening to my ports is listening with? I think not. Again, thank you Rifkin. :wink:

…Wait I could be wrong, Instead of double posting I’ll just modify the post, It says to do that in SAFE MODE, which I haven’t done. So I’ll do that first and I’ll let you guys know.

A lot of you have been helping, again, you guys are kind, it is most welcome.

That scan would appear to be clean. Yes the md5 is a file identifier. The date is a little strange, as on virustotal’s page it says “File winlogon.exe_ received on 03.31.2008 06:08:56 (CET)”, it april 04 where I am.

And yes, you are correct for the results, no one detected anything. A false positve on Ghost Buster’s part perhaps? Don’t get me wrong, I’m not denying you have a problem.

Let me check some more.

added

Rifkin may be correct, an online scan might be the answer. Eset and kaspersky both have good detection rates. The difference is eset will remove, kav will only report.

If this i the route you take, I’d be very interested in the results. A bit of a hobby.

You may want to try Ad-aware free version. I often run an Ad-aware scan with Avast set to check all files on opening. As Ad-aware reads the files Avast! checks them and often finds viruses that are missed otherwise. Also Ad-aware can find and remove some virus itself. I also had one person’s ISP provider was infected and every time the computer connected it got infected. I finally had to go off-line do a clean reinstall and install anti-virus and anti-spyware before allowing it to connect even for Microsoft.

AleKx

Did Ghost Buster’s scan also detect this file C:\WINDOWS\system32\dllcache\winlogon.exe ? It’s a backup copy of the file. These bugs mutate, so it’s possible that it’s slipped past the avs and GB is the first out of the block with the detection.

No, it only detected the virus in c:\windows\system32\winlogon.exe

I’m currently in Safe-Mode with Networking.

I figured out how to know exactly which exe the file is listening to. When you do Netstat -ab, it associates a PID to the connection. You can then CTRL+ALT+DELTE, go to view: show PID’s, that way your Task manager will show the PID’s. The files are: image name svchost.exe (Network service PID 864) , image name winlogon.exe, svchost.exe (Network service PID 728) and image name System (System PID 4)

Here are some of the DLL files in use that THE IP LISTENING ON MY PORTS ALSO USES.

Protocol: TCP Local Adress: box:epmap Foreign Adress:ppp-54-25.32-151.iol.it:0 State:Listening PID:728
RPCRT4.DLL
WS2_32.DLL
svchost.exe
(unknown components)
svchost.exe

epmap is just one of them. It also uses netbios-ssn, and microsoft-ds and a few others.

PS: “box” is the name of my computer.

I have a solution, screw microsoft, and yay linux or mac. I’ve been a windows user for 10 years and I’m fedup with all the protection needed, antiviruses, anti-malware, anti-spyware, anti-trojans, anti-worms, etc etc. Even after investing in legitimate copies of the programs I use(I wasn’t always an angel but I learned) I still get viruses, even when running Avast or having a router. I can’t be arsed to hop from one anti-virus to the other because one program won’t fix them all because microsoft sells us an unfinished product, hence the 150 security updates I had to do 4 days ago after re-installing windows.

I’m done with it, done. Windows is going in the garbage. I’m probly going to run Mac since Linux is a lot of manual stuff. Besides, Mac’s have the fastest processors and best GFX, oh, and no viruses, or virtually none. A lot better than 10 years of microsoft’s bs that’s for sure.

Thank you to everyone who helped. But I’ve found a solution to my problem. Instead of finding a solution to get rid of the viruses, I’ll get rid of the thing that hosts them, the operating system itself.