Suspicions of virus activity

I have a PC I have just upgraded to XP SP2. The PC is a Pentium 4 CPU 2.66 GHZ with 128 Mb RAM. I am running avast, spybot, and Ad-Aware. Bootups are slow, which I am sure will be corrected by more memory. The issue which concerns me is that avast comes up in the system tray with a red x and I get a message that “No firewall is turned on.” These both go away if I wait, and if I go to control panel to check the Windows firewall settings, it says that it is on.

I have run avast in safe mode with the internet cable unplugged and it comes up clean. Spybot, run from regular Windows, also comes up clean, as does Ad-Aware.

I have never seen avast come up with the red x. Is this normal?

I have also updated Avast and run it as a boot scan. It says I’m clean. I can load and run Hijack if there is somebody here who can interpret it.

I can load and run Hijack if there is somebody here who can interpret it.

I’m sure they’ll be somebody around who can do that for you.

To clarify, I guess my eyes are not too good. The avast system tray icon comes up with a red circle with a line through it appearing on the lower left corner of the icon. It does go away if you wait. The message about no firewall comes up sometimes, but not all the time. As I said, I am not sure if this occurs just because of a small amount of memory, or if something is sneaking in there before avast can run. I’d appreciate any help you can give.
Thanks!
Carol

The Hijackl This log is:
Logfile of HijackThis v1.99.1
Scan saved at 3:54:12 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168135590953
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

The Silent Runners log is:
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“SpybotSD TeaTimer” = “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“IgfxTray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”]
“HotKeysCmds” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”]
“SoundMAXPnP” = “C:\Program Files\Analog Devices\Core\smax4pnp.exe” [“Analog Devices, Inc.”]
“avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)
→ {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension”
→ {HKLM…CLSID} = “Display Panning CPL Extension”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext”
→ {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]
“{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”
→ {HKLM…CLSID} = “Microsoft Office Outlook”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS]
“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”
→ {HKLM…CLSID} = “Outlook File Icon Extension”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS]
“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”
→ {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS]
“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”
→ {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
<<!>> igfxcui\DLLName = “igfxsrvc.dll” [“Intel Corporation”]

HKLM\Software\Classes\PROTOCOLS\Filter
<<!>> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”
→ {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS]

HKLM\Software\Classes*\shellex\ContextMenuHandlers
avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”
→ {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers
avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”
→ {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

I’ll post the rest in the next window.

Continuation of Silent Runners log

Group Policies {policy setting}:

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
“Wallpaper” = “C:\WINDOWS\web\wallpaper\Bliss.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop
“Wallpaper” = “C:\WINDOWS\web\wallpaper\Bliss.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop
“SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Research”
Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions
{92780B25-18CC-41C8-B9BE-3C9C571A8263}
“ButtonText” = “Research”

{FB5F1910-F110-11D2-BB9E-00C04F795683}
“ButtonText” = “Messenger”
“MenuText” = “Windows Messenger”
“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data]
avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]


<<!>>: Suspicious data at a malware launch point.

  • This report excludes default entries except where indicated.
  • To see everywhere the script checks and everything it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
  • The search for DESKTOP.INI DLL launch points on all local fixed drives
    took 29 seconds.
    ---------- (total run time: 71 seconds)

Thanks!

your log looks ok :wink:
the main concern i would have is getting some more ram into it.

I presume you are running a Dell machine. If thats the case and you wish to regain some of its processing power away from all the preinstalled stuff that usually comes from Dell , this might interest you http://www.yorkspace.com/pc-de-crapifier/

Good luck :slight_smile:

Thanks a bunch for all you help!
Carol

avast gets running pretty quickly so should ready to protect, early too.

It is best to have HJT in a folder that isn’t a temp location (which could be cleaned, losing any backed-up entries if you had to fix anything) c:\HJT or any permanent HDD location…

Your log file looks clean, probably one of the smallest I have see in a while, an on-line analysis highlights firewall protection.

We didn't detect any active process of a firewall on your system. Reasons maybe: (1.) You are using the windows firewall or a hardware firewall. (2.) You are using a firewall of an unknown vendor. (3.) You are using a firewall, but for unknown reasons it is disabled (4.) You don't use any firewall at all.
Since you are getting an alert the firewall isn't on, go the Control Panel, Windows Firewall and ensure it is on.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

I haven’t used silent runners before but the data doesn’t seem to have anything untoward.

Take care with Spybot’s TeaTimer start-up protection it could eat the avast icon, ashDisp.exe.

Increasing the RAM would make a huge difference to your overall system performance as 128 MB is considered the absolute minimum for XP when you start adding other applications that start on boot they have overheads also, 256MB would be adequate, 512MB would be good and 1GB great. RAM is relatively cheap, however, having a Dell they don’t like you upgrading much and to send it to them would be costly.

Your local Tech/Computer store should be able to upgrade RAM and unlike many Dell parts I don’t believe this is a proprietary part and should be user upgradable. You could call them to check.

You should urgently think of upgrading RAM if you were to install a 3rd party firewall before upgrading RAM the system would be even slower.

Thanks DavidR.
I was wondering why I kept getting a popup saying there was no firewall, even though Windows said it was running. I agree about the RAM. I have told the owner of the PC that she should upgrade to 1MB, but that my PC was working fine with 512. She is thinking about going to 512. She doesn’t do heavy gaming or other graphics. Just uses it for the internet, financial, and word processing. I have also warned her that if she wants to update software in the future, that more memory might be critical anad that the 512 purchase would be throw away.

I really want to tell you guys that you do a good job here, and thanks for the help.

Do you know how I can learn to interpret Hijack This so I can be more independent? Thanks!

You can enter a training course at some sites, this is both intensive and time consuming so you have to have more than a general interest or just self help.

Well you can get some help at on-line analysis sites, but you shouldn’t take it as 100% but it give a reasonable start point to investigate what it classes as Nasty, Possibly Nasty or Unknown, etc. then you use the likes of google to search on the file names, etc. and see if that confirms the analysis.

On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2

The first of these also has the ability to upload suspect files to be scanned, this can also be done at other sites. You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.

There are also hijackthis tutorials and these also provide other very useful information to help analyse the log. HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3

That should be enough to keep you going ;D

Do you know how I can learn to interpret Hijack This so I can be more independent? Thanks!

I can do no more than recommend Geeks to Go as I am training there and it is thorough http://www.geekstogo.com/forum/Would_you_like_to_learn_to_fight_malware-t4817.html

:slight_smile: Hi Caroln :

 The brevity of the HijackThis log you posted should result in you being asked IF you ran the 
 HijackThis program in "Safe Mode" !?  If you did that, then the log you posted is of very little
 help in discovering any possible problem . HijackThis logs are BEST analyzed by Experienced,
 Trained, volunteer Malware Experts usually found on antiSPYWARE Support Forums, like the
 ones Spybot has at http://forums.spybot.info . 
 Since your current HijackThis program is in an inappropiate place, I recommend you uninstall it,
 then :

Download HijackThis© from: www.thespykiller.co.uk/files/HJTsetup.exe .
At the download prompt, choose “Save”.
Navigate to the saved file and double-click the installer, HJTsetup.exe.
HijackThis will be installed on your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.
When the installation is complete, exit HijackThis.

As to learning about HijackThis, I recommend you read the “Tutorials” at :
www.bleepingcomputer.com/tutorials/tutorial42.html ;
http://aumha.org/a/hjttutor.php ;
http://castlecops.com/HijackThis.html .

As to being “trained” as a volunteer Expert, I feel the “School” at Malware Removal University
at http://forum.malwareremoval.com/viewtopic.php?t=233&sid=fca6dd7bc9eb3b0c1e223be11f879207 is equal or better than the one at Geeks To Go.

You’ve made some good points Spiritsongs. But then this

Well, we have those here.

Do not count with me… For sure I’m not an expert on malware removal, HijackThis, etc.
Mauserme, I really think it’s better get malware help on the links posted by Spiritsongs.
We’re most used to avast, some of the others know about virus removal, but, in my opinion, they are the experts :wink:

I would argue that the vast majority of people coming here seeking help only want to know where to look for answers .

The last thing we should be doing is sending them off to these obscure, boutique removal sites with their toilet paper diplomas that get a couple of posts a week.

in most instances It is better that a person gets contributions promptly and from a variety of sources so they can use their own judgment.

Just my 2c worth and no disrespect to any individual. 8)

I think we should do our best to provide the help requested within our abilities. And there is a lot of ability on this forum. This can be seen every day in the number of problems solved. I do agree that the best help will sometimes be an admission that someone else is better able to provide answers but “go away” should never be our first response.

I have never had a “Go Away” from anyone in the technical forums, only when I was foolish enough to ask an avast question in the Yahoo forum. I believe the people in these forums are really interested in what they do, give the best answer they can, including telling people when they need to ask someone else for more technical help.

I really appreciate and respect what all the people here do. It takes a lot of time and energy, and people would not do it unless they care.

I came to this forum this time, because I had a question about why avast was coming up with a red circle with a line through it on the lower left corner of the icon in the system tray. Because everybody here uses avast, I felt you were more able to recognize my problem. I also go to the Gladiator-antivirus forum and I get great help there.

One thing I would like to clear up though, I did not run HiJack This from a temp directory. I saved it to a directory under C:\Program Files and ran it from an active Windows XP SP2 Explore window. The reason the listing was so small is that it was an initial load, after the registry got corrupted.

Thanks for all your help.

PS I am really enjoying this discussion of your favorite sites!

Fully agree…

Fully agree…

I was just trying to say that sending people to other sites is not a bad attitude… just trying to help them and redirecting them to correct sites.

Well, if this is true… I remove my first comment. I thought Spiritsongs was sending the user to useful/trust sites…

And avast forum WON’T be the first one… You’re welcome…

  1. Check the option in the Appearance tab of settings.
    or
  2. Repair your avast installation through Control Panel.
    or
  3. Make a link to ashdisp.exe in your startup folder
    or
  4. Add the path to ashDisp.exe into a value named avast! in the Windows Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If that does not help, please, uninstall, boot, install again, boot.
Hope it helps…

:slight_smile: Hi Tech :

 Of course I am referring people to reliable sites, those who's Malware Experts are members of the
 Alliance of Security Analysis Professionals, who have passed their rigorous Training Program, like
 the one Essexboy is taking at Geeks-To-Go, and the one at "Malware Removal University" .

Edited. Sorry.