Strange Avast alarm [Resolved]

Hello all ,

Since i am a newbbie i thought i should ask here for help.
As you can see in the snapshot i 've attached i keep getting this message from avast when i am connected in the net.
As far as i can understand it is a try from a web place to get in my pc.
Well ,what can i do so i wont have these attacks?

I changed my ip but it wasnt enough.The message keeps coming from time to time.
Anyway ,i think if someone could help me what to do ,maybe he should know the brief story of my pc the last couple of days which i write below:

So,lately i noticed that when i was opening internet explorer (usually i use mozilla) a pop up window was opening too (advertisement).
Then i checked my start up windows files (xp) and i noticed a strange file being loaded with the name “heart spam” which although i was deleting it it kept appearing in my start up.
Well i though i must have some kind of virus /trojan or something similar.
Finally i used some tools (not antivirus though) like adaware ,avg (former ewido) ,spybot search n destroy, and one of the pctools (dont remember the name right now) and it seems that they managed to remove the file from start up folder permanently since after some restarts it wasnt loading anymore.
Then i run a virus check with avast (the one with the restart) and it found a couple of files with a trojan.I deleted the 2 ones permanently but i didnt delete the other 4 cause they were in the restore section of my windows and i couldnt.

Anyway i think i am ok now cause ,as far as i know, the restore section of windows is not used ,although i will delete the 3 other files which are there the next days.

But what about the message from avast which by the way i ve been very satisfied of.

Thank you for reading all this.
Regards,
N.

P.S. Excuse my lame english.
P.S.2 I also include the .txt avast gave me from the reboot scan.

Hi nikits72,

The message you saw can also be caused by a Trojan downloader trying to connect to the internet to download more malware onto your computer.

You did the right thing in scanning with the programs you mentioned, and doing the avast! boot time scan (‘the one with the restart’)- one of them must have found and deleted the Trojan downloader if the message has stopped.

Just to confirm you have no more problems, you could post a HijackThis! log:

http://www.bleepingcomputer.com/tutorials/tutorial42.html

Thx 4 your reply frank.
Unfortunatelly the message is keep coming.
So i will do what is suggested in the link you gave me.

Regards N.

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.

Win XP - How to disable System Restore

If a virus is replicant (coming and coming again), you should:

  1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
  4. Use a-squared, Free AVG Antispyware, SUPERantispyware or Spyware Terminator (trojan removers).

Other option is scanning in SafeMode (repeatedly press F8 while booting): http://support.microsoft.com/default.aspx?scid=kb;en-us;315222

Thx so much 4 your replys mates.
I ll do as you instruct and see what happens.

Regards,
N.

Hi all again,

after some days i have tried a big number of anti-mal ware programs both in safe mode or normal.

The names are the ones suggested above in the replies.
I also searched around a little about this message ,it seems that LOP is what tries to get in my pc but of course dont take this for granted since i am not an expert (not even a medium one).

What is happenning is that the various progs found various stuff which i deleted and my pc seems clean now (except the intrusion attempt which keeps coming) although i suspect that i have delete inoccent programs like mirc but which they where proposed to me by the various malware programs.
Also various dll’s were supposed to be a threat and were proposed to me to be deleted by the progs ,so i did.But i am not sure it was good.
I even reset windows firewall to the defaults causing various progs not to work properly (i guess i will have to unblock them again when win firewall asks me what to do ,one by one -not a real problem this)

The only thing that remains for me to do now is to post a hijack log as proposed above by FreewheelinFrank and hope that you will be able to help me to locate the problem.
(It was the first advice actually i guess i left it last because i thought that one of all the antispyware progs would resolve my prob and because i didnt actually believe that someone would want to look a hijack long log and help)
So below is the post

Thx for reading this,
N.

So here is the log from hijack this.
As you will notice there is a bunch of anti-malware programs running right now.I think maybe i should uninstall them now since a vast is the only one tracing the incoming attempt to my pc.Anyway…first i will listen to what you will tell me…
Just to mention something.The most decend antimalware program that is finding LOM seems to be a-square

The log :

Logfile of HijackThis v1.99.1
Scan saved at 8:28:15 μμ, on 19/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\AUtils\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AUtils\Alwil Software\Avast4\aswUpdSv.exe
D:\AUtils\Alwil Software\Avast4\ashServ.exe
D:\AUtils\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
D:\AUtils\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ctfmon.exe
D:\AUtils\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe
D:\AUtils\ALWILS~1\Avast4\ashDisp.exe
D:\AUtils\DAEMON Tools\daemon.exe
D:\AUtils\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
D:\AUtils\uTorrent\utorrent.exe
D:\AUtils\Mozilla Firefox\firefox.exe
D:\AUtils\Trillian\trillian.exe
D:\AUtils\Microsoft Office\OFFICE11\EXCEL.EXE
D:\Dnld\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\AUtils\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\AUtils\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\AUtils\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM..\Run: [CnxDslTaskBar] “C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe”
O4 - HKLM..\Run: [avast!] D:\AUtils\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [DAEMON Tools] “D:\AUtils\DAEMON Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [NvCplDaemon] “RUNDLL32.EXE” C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] “nwiz.exe” /install
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Σήμερα.lnk = D:\AUtils\Today\TODAY.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Download with GetRight - D:\AUtils\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\AUtils\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\AUtils\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\AUtils\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\AUtils\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\AUtils\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\AUtils\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\AUtils\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.flash.gr/inc/activex/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131232162694
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acllhci - - (no file)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\AUtils\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\AUtils\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\AUtils\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\AUtils\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - D:\AUtils\System Mechanic Professional 6\IoloSGCtrl.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\AUtils\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\AUtils\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Unknown owner - D:\AUtils\WinClamAVShield\sp_clamsrv.exe (file missing)
O23 - Service: Streamload Service (StreamloadService) - Unknown owner - D:\AUtils\Streamload\MediaMax XL\StreamloadService.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Ok i solved the problem.
Actually ,a-squared , a very good anti malware program which was suggested to me did the job.

It managed to find the file communicating with the outside site real time.
This means that a-squared found which file was infected in my pc when the file tried to communicate in the net.
It was identificated to me as an id-injection .

Maybe ,that is why no program could find which file was doing the trouble.

So everything is good now :slight_smile:

I’m glad you’ve got cleaned 8)
Anyway, you could follow the other steps posted before…