WOW I got buggered

Some kind of virus went straight for Avast and did some weird stuff with it. I had avast run a boot scan and it found this:

C:\Program Files\Security Tools\Antivirus Programs\Avast\Data\moved\pskars.dll.vir is infected by win32:CTX and that file was deleted by avast.

I then ran a root file cleaning program and it found two files and changed there names.

After that avast wasn’t acting right and I couldn’t even repair, or uninstall it to start over.

Had the Repair Console check and repair windows then I was able to uninstall and reinstall, but I get this Command line window every restart while Windows is loading all my apps.

Window reads like this: C:\WINDOWS\Sys32netsh.exe

Nothing displays in the black window and then just before it disappears the letters “OK” display.

What is this and how do I stop this behavior?

I use Win XP home always updated.

I then ran a root file cleaning program and it found two files and changed there names.

Hi and welcome,
the crux of the problem as i see it is what program did you run and what did it change files from and to??

the sys32netsh.exe is a windows tool http://support.microsoft.com/?kbid=242468

The \moved\ folder is where avast place the items you move to avoid further infection.
Better is send these items to Chest… It’s not weird, it’s like you order to be.

What can’t you manage? avast installation? What did you do, what items you’ve delete…

Difficult to say but the repair console could ‘downgrade’ your Windows Home installation to the CD version. Maybe you’ve lost some updates and this is messing your computer. Can you copy that file (C:\WINDOWS\Sys32netsh.exe) to a floppy or USB drive and submit it to Jotti or VirusTotal and see if it’s a virus or infected file?

C:\Program Files\Security Tools\Antivirus Programs\Avast\Data\moved\pskars.dll.vir is infected by win32:CTX
This shows that the file wasn't deleted but moved on the boot scan to the avast moved folder within the avast program folder, so avast may not have been infected.

You don’t say what root cleaning tools you used?
There are many rootkit detectors but most don’t actually clean, just present the user with bare information that if the user incorrectly deletes a file that is not a rootkit but an important file it can seriously affect your system.

One such tool reports 11 suspects in my system (there is however, a warning about false positive detections in the readme.txt file that comes with it), yet others report none. No if I deleted all of these my system would be in serious trouble.

I was stupid and clicked on an .exe file that had been downloaded and was infected. I deleted this file and avast instantly caught the files it had installed and deleted them. Something in my sysem was changed, but I couldn’t tell you what. I do know that a entry was put in my registry and set to run a command window titled: “sys32netsh.exe” when Windows loaded my programs.

It ran a Command box having something to do with Microsoft’s netsh.exe file located in Windows/sys32 file. I went to msconfig to see what was sceduled to start with Windows and there was only one file there that was something I didn’t recognize. It was located in:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: Control Panel — Type: ReEG_SZ — Data: C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile

I deleted it and I no longer have that command window open when Windows starts. I don’t know what it is for or if it was the culprit, but the command window no longer loads, SO FAR.

If I find I have lost some functionality to my keyboard somehow I can recreate that entry, but so far I’ve noticed nothing unusual.

I’m confused. Why did avast detect files in it’s own “Move” folder and tell me it was an infection and ask me if I wanted them deleted? They had been there from a previous scan, if I remember correctly. Seems to me that folder wouldn’t be included in it’s scan, cause it already knew they were infected.

The root cleaner I used is blbeta and isn’t really a cleaner, per say, but it does locate and offer to rename files, which makes them ineffective. I periodically scan with this program and have never had it detect anything until after the bugger I opened the other day screwed things up, I was pretty sure the files it renamed were malware files.

Please disregard this reply, I screwed it up and couldn’t figure out how to delete it. The one that makes sense to me follows this one below.

It kept downloading reference files over and over.

Your probably right. Will have to check my Windows updates to make sure. Even so, that command window displaying every time Windows loaded my programs was not the way it originally behaved.

How do I set this Forum to send me email notifications?

You can’t delete, only modify as you have done.

In the past I have had a command window opening on boot and that I eventually tracked down to a run command that couldn’t find a file and it stopped in the folder where the missing file should have been. Perhaps that is the same for you, I checked msconfig and hijackthis to find programs that start on boot and run commands. Once I found and deleted the command then no problem.

At the bottom of this page you’ll see a buttom called ‘Notify’.
It will send you an email to your email account (the one you registered in the forums).

You can also set this up in your Profile (click the Profile button), ‘Notifications and Email’ and you should be able to set it up so you automatically recieve notification for Threads/Topict that you start or post in.

Note we try to keep the avatars at 100X100 if you can resize your or you can use this one which is a little smaller.