Turned on my PC this morning and this is what popped out on my screen…
Another program is using this file:
C:\Windows\System32[b]Gebyw.exe[/b]
Used PrevX CSI and these are the readings:
Prevx CSI doesn’t report avast! ashDisp.exe as Dropper.Agent.GIT on my computer. 12/29/07 9:30 am EST
http://img297.imageshack.us/img297/5859/20071229prevxwu3.th.png
Something is definitely wrong here… I’m restoring my system to a system image I made two weeks ago. Have no patience to go through removal process and I am sure even when it’s completed, nothing will be the same as before… so, backup images are a way to go. Thanks God for Norton Ghost, never ever let me down.
Definitely a vundo infection - they are getting even sneakier now by changing other programme files to do their dirty work
There was a case a few months ago where ashdisp was in fact infected. I don’t remember who it was, but they where a regular on this forum at the time. All I recall was comparing file sizes and that DavidR also commented.
What is even crazier, is the fact that I went back all the way to my July System Restore Image. When I scanned everything with Prevx CSI, similar thing happened (Trojan.Vundo), but the only difference avast! file is not infected. And guessing right no more avast! asking me to restart my system (from the other thread I started in this forum). So it could be that these two things have something in common.
The question… what happened to avast! protection ? Isn’t it supposed to protect us from things like this ?
Ok, going back to my System Restore images… I’m going all the way back to the last year to see what’s gonna happen when I restore one of those images… huh, difficult to enjoy these holidays when I have to sit in front of my PC whole day… :
Yes, I forgot to say, I’ve noticed few applications had exactly the same files (exactly the same name and extension) residing inside the same folder (how is that possible is beyond me)…
I remember all of them had same size… some 980 Kb or something if I can remember well.
Prevx is reporting this thing… can’t fix anything since I don’t have registered version ( : : : ). Nice touch PrevX developers ^%$#@&%$&%
There is also a Norton Vundo removal tool… funny thing is that it can’t find a thing on my computer. Ha ? What now ?
It looks like I really have to go all the way back to the last year with my Ghost System Images.
Hi Sash can you download and run this programme - it will look for any altered programme files. They are changed in a specific and detectable way
[]Download RenV.exe by sUBs to your desktop
[]Double click on it to run it
[]It will search your system drive looking for any modified .exe file and will produce a log for you.
[]Please attach this report to your reply (Do not copy and paste)
Isn’t it an infection that passed through avast protection?, i.e., a missdetection of avast?
Sasha, are you saying in other thread…
that avast could be restarting because it’s corrupted (infected) and then it’s repaired by the update and then requires a reboot?
I guess so, sure it looks like that…
I am doing a boot scan as we speak (posting this from my laptop), and avast! already found some file named svcUpdate.exe or something like that that’s infected. I sent it to chest… what do I do with it now ? Do I have to replace it with the same file that’s not infected or something else ?
Have to go out now, I will leave my desktop PC and avast! boot scan to fight. When I am back I will see what’s happening. If nothing helps, I am afraid I will have to restore one of my oldest system images… :-[
Which file? svcUpdate.exe or any of avast files?
Give essexboy’s suggestion a shot first.
Here is a link to where this tool was used in a vundo infection http://www.bleepingcomputer.com/forums/topic122459-15.html#entry697476 and as you can see a lot of legit files were corrupted. This tool is about one week old
Thank you guys so much for all replies and your help, I really appreciate everything! 
Unfortunately I haven’t noticed my friend’s (essexboy) reply with the link for that little tool, and I already restored one of my old system images that had no infected files inside… totally clean.
avast! boot scan started to full around saying it is unable to repair some files, so I gave up and went with restoring one of my old system images.
Problem is solved, I just wish I’ve noticed that post on time, so at least I could have given it a try and see what happens. Anyway, this is the situation and I had a lot of extra application to reinstall, but at least it’s 100% clean now.
Thanks again people, I appreciate your assistance !
It makes me wonder how long your system was infected … And no detection from avast! for all that time, were you able to send those infected files to alwil, or perhaps scanned them over at virustotal ?
Files were definitely infected… last system image I’ve tried was going back to July… that one was still infected. First system image that contained infected ashDisp.exe is the one from September. I had to go all the way back to the last year to make sure.
Couldn’t it be a false positive from avast itself? I mean, the updated VPS is detecting them as being infected?
What does VirusTotal say about them?
The strange thing is - if ashDisp.exe was modified (infected), it should announce that when started…
This behavoural change in Vundo was noticed first about 2 weeks ago and it then took about a week for a search and repair tool to be developed. It appears to have copied some elements from AWF