Hi,

Just installed the latest avast after uninstalling Norton.

After successful installation, I surfed the web, and I sometimes get a message that pops up above the clock which goes something like: Successfully blocked [virus? not too sure of the text here] from IP address. A couple of minutes later, I get a message about some process not working, and my web connection does not work. I reboot. I can surf again. And then this message comes up again. Same story.

I do a manual scan, and I come up with a virus/trojan on my machine. I forgot the name (not at my PC at the moment).

1. Any advice on how to keep my internet settings?
2. How can I setup the program to block all suspect attempts to access my PC (or at least prompt me with a confirmation message)?

Thanks
.

Hi tpfkanep,

To ensure Norton has gone completely, follow the steps here:

Download and run the Norton Removal Tool

It is particularly important to run the removal tool in step 3.

I would actually recommend you uninstall avast!, run the Norton removal tool, and then reinstall avast! to ensure a clean install.

When you have reinstalled avast!, update and run a boot time scan. Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

After the scan, try to connect again. Try to note down any messages, or check in the avast! log viewer- right click the avast! icon in the notification area.

More specific information will help us a lot.

To this end, please post a HijackThis! log.

This will give us a lot of system information regarding operating system version, firewall and any malware infection.

Thanks a lot. I will do as you say and report back soon. Apologies for the lack of specifics in my post.

Here is my Hijackthis logfile:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:23:07, on 2007/08/15 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Borland\Interbase\bin\IBServer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\K-Meleon11\k-meleon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\WinXP User\My Documents\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [UIUCU] C:\DOCUME~1\WINXPU~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User ‘Default user’)
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186594236734
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip..{16E7BDA0-69C1-47C5-B8C6-0AA805F9708D}: NameServer = 10.204.32.245 209.212.96.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\Interbase\bin\IBServer.exe

–
End of file - 4372 bytes

I managed to finally get windows updated to SP2 level (the reason for my delayed response). I must still do a boot time scan, the results which I will post tommorow.

You don’t appear to have an active firewall or are using XP firewall ?

Your version of JAVA is way out of date.
Ensure you have the latest version of JRE (JAVA Runtime Enviroment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://www.java.com/en/download/index.jsp

Running hijack this from a Temp location isn’t advised as any backup of items fixed would be lost if the temporary folder is cleared.
C:\Documents and Settings\WinXP User\My Documents\HiJackThis\HijackThis.exe

Whilst this (UIUCU.EXE) looks legit I find it strange that it is running from a Temp location, what do you know about it ?
O4 - HKLM..\Run: [UIUCU] C:\DOCUME~1\WINXPU~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S

[b]uiucu.exe - uiucu - Process Information[/b]

Process File: uiucu.exe or uiucu
Process Name: Universal Device Install Application

Other than that I can’t see anything obvious, it looks clear.

You don't appear to have an active firewall or are using XP firewall?

I think after I updated to WinXP SP2, I saw something that looks like firewall options from Control Panel. 1. How do I confirm if I have XP firewall? 2. Is XP firewall enough? 3. If not, what is the best freeware firewall.

Your version of JAVA is way out of date.

Thanks for that tip. I will do an update.

Running hijack this from a Temp location isn't advised as any backup of items fixed would be lost if the temporary folder is cleared. C:\Documents and Settings\WinXP User\My Documents\HiJackThis\HijackThis.exe

Should I remove Hijackthis from [My Documents]?

Whilst this (UIUCU.EXE) looks legit I find it strange that it is running from a Temp location, what do you know about it?

I have no idea what that is. Should I remove it?

My boot time scan seems to report nothing wrong (I checked the avast! logs and they are all empty).

Thanks for taking the time to look into my problem and giving me giudance to remove and install apps.

1. Control Panel, Windows Firewall, if you have that section in control panel then you have it available. You should check the Control Panel, Security Center, which will tell you which firewall you have and if it is active.

2. Personally No I don’t think it is enough.
   Windows XP’s firewall is better than no firewall but, it lulls you into a false sense of protection, it doesn’t provide outbound protection.
   I would however, say you need to look at a third party firewall to protect against unauthorised outbound connections.
   Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

3. • There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes.
     See http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php later set of results

You should create a folder outside My Documents (which is a strange folder, different from a regular folder), where it is regular folder, C:\HiJackThis would do or a name and location of your choice.

I have no idea what it is either and can’t make that decision for you, you will have to investigate using google, etc. but you don’t want to get rid of something you need, My major concern if it is a legit application why is it in a temp folder.

See http://www.processlibrary.com/directory/files/uiucu