Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Install Antivirus


  • This topic is locked This topic is locked
3 replies to this topic

#1 obigo

obigo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 28 December 2007 - 02:18 AM

Hi,

A few days ago I noticed that some of my protection tools, including Norton Antivirus and Spybot, were not running and when trying to get to the bottom of it I noticed that their files have been deleted.

So I completely removed Spybot and re-installed it. This worked for a while and than the software was removed again.

At this stage, I removed also Norton and tried to install AVG but kept getting an error message during the installation that prevented it from completing. So I tried to install AntiVir and again got error messages during installation (which of course failed as well).

It seems to me that there is a process on my PC that detects Antivirus/Anti spyware apps and prevents them from running by deleting their files, however I could not detect it.

Below is the HijackThis log. I'd appreciate any assistance as my PC is not protected now...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:28:24, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\RocketDock\RocketDock.exe
D:\Program Files\StickIt\StickIt3.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINDOWS\system32\mmc.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54B02808-B60E-44CD-A72D-9865117E4E62} - (no file)
O2 - BHO: AGFormHelperObj Class - {6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6} - C:\Program Files\agat\AGForm\AGFormsHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AGForms - {ed2e7de7-07db-4941-a06d-f780b93ba730} - C:\Program Files\agat\AGForm\AGForms.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "D:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [StickIt] d:\Program Files\StickIt\StickIt3.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: RD birthday reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7CE6527-9F22-4288-AF68-F219291ADE8A}: NameServer = 62.90.42.110 212.150.49.10
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Free Service (a2free) - Unknown owner - D:\Program Files\a-squared Free\a2service.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

--
End of file - 6404 bytes

BC AdBot (Login to Remove)

 


#2 obigo

obigo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 28 December 2007 - 05:36 AM

Further investigating the problem, I found out that AntiVir fails on the creation of some executable files (e.g., avadmin.exe) so I created an empty file with the same name (using Explorer) and after a sec it was automatically deleted.

It seems to me that a process is monitoring newly created files and deletes them if they are part of an anti-virus / anti spyware app.

#3 obigo

obigo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 28 December 2007 - 06:44 AM

PROBLEM SOLVED !!!

1. I used FileMon (System Internals) to monitor the file system while creating a "avadmin.exe" file and looked at the stack:

0 fltmgr.sys fltmgr.sys + 0x1944 0xf73a0944 C:\WINDOWS\System32\Drivers\fltmgr.sys
1 fltmgr.sys fltmgr.sys + 0x3352 0xf73a2352 C:\WINDOWS\System32\Drivers\fltmgr.sys
2 fltmgr.sys fltmgr.sys + 0xfccb 0xf73aeccb C:\WINDOWS\System32\Drivers\fltmgr.sys
3 fltmgr.sys fltmgr.sys + 0x10142 0xf73af142 C:\WINDOWS\System32\Drivers\fltmgr.sys
4 ntkrnlpa.exe ntkrnlpa.exe + 0x17eb1 0x804eeeb1 C:\WINDOWS\system32\ntkrnlpa.exe
5 FILEM.SYS FILEM.SYS + 0x6e79 0xb22dee79 C:\WINDOWS\system32\drivers\FILEM.SYS
6 ntkrnlpa.exe ntkrnlpa.exe + 0xe6d10 0x805bdd10 C:\WINDOWS\system32\ntkrnlpa.exe
7 ntkrnlpa.exe ntkrnlpa.exe + 0xe3398 0x805ba398 C:\WINDOWS\system32\ntkrnlpa.exe
8 ntkrnlpa.exe ntkrnlpa.exe + 0x9de4d 0x80574e4d C:\WINDOWS\system32\ntkrnlpa.exe
9 ntkrnlpa.exe ntkrnlpa.exe + 0x9e7c4 0x805757c4 C:\WINDOWS\system32\ntkrnlpa.exe
10 ntkrnlpa.exe ntkrnlpa.exe + 0xa0e8e 0x80577e8e C:\WINDOWS\system32\ntkrnlpa.exe
11 srosa.sys srosa.sys + 0x3552 0xb2ddd552 C:\WINDOWS\system32\drivers\srosa.sys
12 srosa.sys srosa.sys + 0x35b6 0xb2ddd5b6 C:\WINDOWS\system32\drivers\srosa.sys
13 ntkrnlpa.exe ntkrnlpa.exe + 0x6960c 0x8054060c C:\WINDOWS\system32\ntkrnlpa.exe
14 SHELL32.dll SHELL32.dll + 0x76005 0x7ca36005 C:\WINDOWS\system32\SHELL32.dll
15 VERSION.dll VERSION.dll + 0x1b75 0x77c01b75 C:\WINDOWS\system32\VERSION.dll
16 VERSION.dll VERSION.dll + 0x1adc 0x77c01adc C:\WINDOWS\system32\VERSION.dll
17 SHELL32.dll SHELL32.dll + 0x127528 0x7cae7528 C:\WINDOWS\system32\SHELL32.dll
18 SHELL32.dll SHELL32.dll + 0x1275d5 0x7cae75d5 C:\WINDOWS\system32\SHELL32.dll
19 SHELL32.dll SHELL32.dll + 0x8e048 0x7ca4e048 C:\WINDOWS\system32\SHELL32.dll
20 SHELL32.dll SHELL32.dll + 0x16dc16 0x7cb2dc16 C:\WINDOWS\system32\SHELL32.dll
21 SHELL32.dll SHELL32.dll + 0x16dd5a 0x7cb2dd5a C:\WINDOWS\system32\SHELL32.dll
22 SHELL32.dll SHELL32.dll + 0x167361 0x7cb27361 C:\WINDOWS\system32\SHELL32.dll
23 SHELL32.dll SHELL32.dll + 0x340a3 0x7c9f40a3 C:\WINDOWS\system32\SHELL32.dll
24 BROWSEUI.dll BROWSEUI.dll + 0x1e63 0x75f81e63 C:\WINDOWS\system32\BROWSEUI.dll
25 SHLWAPI.dll SHLWAPI.dll + 0x8ea5 0x77f68ea5 C:\WINDOWS\system32\SHLWAPI.dll
26 ntdll.dll ntdll.dll + 0x27545 0x7c927545 C:\WINDOWS\system32\ntdll.dll
27 ntdll.dll ntdll.dll + 0x27583 0x7c927583 C:\WINDOWS\system32\ntdll.dll
28 ntdll.dll ntdll.dll + 0x27645 0x7c927645 C:\WINDOWS\system32\ntdll.dll
29 ntdll.dll ntdll.dll + 0x2761c 0x7c92761c C:\WINDOWS\system32\ntdll.dll
30 kernel32.dll kernel32.dll + 0xb50b 0x7c80b50b C:\WINDOWS\system32\kernel32.dll

2. I noticed SROSA.SYS and looked it up on the Web (VirusList.com) - this is a trojan that does exactly what I described above (deleting files).

3. I followed their instructions on how to remove it:

f your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
2. Use Task Manager to terminate the worm process (it may be called "hidr.exe").
3. Delete the following files:

%System%\drivers\srosa.sys
%System%\drivers\hidr.exe

4. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
5. Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit" = "%System%\drivers\hidr.exe"

6. Delete the following registry key:
[HKCU\Software\FirstRRRun]
7. Delete the following folder and its contents:
%WinDir%\exefqd
8. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus)

AND GOT MY PC BACK TO A WORKING STATE !

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:13 AM

Posted 13 January 2008 - 06:37 PM

PROBLEM SOLVED !!!


We are glad that you managed to resolve the problem, thanks for letting us know. :thumbsup:

As the problem here seems to be resolved this topic is now closed.
To get it reopened PM a staff member with the address of this thread.
This applies to the topic starter only, everyone else with similar problems start a new topic.

Regards,
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users