Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Beware of the Avenger!


  • Please log in to reply
7 replies to this topic

#1 mashzapotato

mashzapotato

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 16 November 2008 - 02:51 AM

Hey All, I was recently slammed by a cocktail of nastiness that very nearly crippled my computer (and may still, the battle's not over yet) and I thought I'd recount my tale of woe is to find out if anyone else knows about this and can help me fully get rid of it and so you don't all fall into the trap of the avenger. Oh, the reason I choose this snappy title for my thread is because the name of the file that I found all the viruses in was called avenger. Oh and one additional note, I'm not particularly computer savvy so bear with my ignorance please :flowers:

Ok let me first outline what this cabal of adware,malware and trojans does to your computer.

1. instead of opening your hard drive in the same window as you initially had it in it opens a new one, (this didn't seem important at first but after I took a bite out of avenger with malwarebytes it denied my access to my main hard drive altogether so now I have to open it through the explore function, which still works for some reason :thumbsup:
2. It tries to install Antivirus pro 2009 (FAKE!) on your comp, fortunately I was smart enough to close the download windows as quickly as they popped up.
3. One of the viruses in it is BrastK (there's a post on it elsewhere if you want to know the details.)
4. It keeps you from using the google search engine by redirecting you to meaningless sites every time you click on a link in google.
5. It stops you from accessing almost any site that has anything to do with legitimate antispyware programs by redirecting you to blank .phps. Luckily it didn't block EVERY site and I was able to find a site that would let me download malwarebytes and get rid of this thing. (It actually stopped me from accessing this website so you can all feel good knowing that your on the spyware peoples list :trumpet:
6.Gives you the blue screen of death occasionally and automatically reboots your computer.
7.Slows down your web browser Horribly!
8.Crashes your comp at weird and completely random times
9. Does not allow antispyware programs already on your comp to work (although I got by that by renaming the exe's which seems to work.)

ummmmm I think that might be it... sooo yeah, you don't want this on your comp, trust me! But if you do malwarebytes is pretty good at eradicating it.

When I first ran malwarebytes is detected 148 malicious programs

...dam.

(Moderator edit: post moved to more appropriate forum. jgw)

Edited by jgweed, 16 November 2008 - 10:11 AM.


BC AdBot (Login to Remove)

 


#2 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 19 November 2008 - 03:58 AM

Hi mashzapotato,

It sounds like you had a lot of malware on your computer and that your efforts helped. A question about the name avenger: Did you give the evil element this name yourself or did one of the scans give it this name? It would be helpful to know this.

For your further efforts, please go through How did I get infected? as you may find some tips there that will help you. You need to have an updated version of Java and make sure all previous versions have been uninstalled, you should run a cleaner after your surf the next and one I use regularly is CCleaner at the default setting, and you need to be sure all your software is kept updated. Additionally, having a good antivirus program and firewall matter. These things are all described in the above link.

MalwareBytes does not remove everything. You may find running a few additional scans helpful.

Zllio

#3 Killerbud21

Killerbud21

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 19 November 2008 - 04:06 AM

If most people have been able to run programs by changing their names why am I not able to I wonder? Most likely because I'm an idiot so here is what I was trying...my computer/c:drive/program files/malwares' folder and then trying to rename mbam (wasn't mbam.exe just mbam). Is this correct? Or should I access the folder elswhere?

I also just noticed a file called Avenger as well so problem is identical...symptoms the same.

Edited by Killerbud21, 19 November 2008 - 04:09 AM.


#4 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 19 November 2008 - 08:16 AM

Hi Killerbud21,

I have some confusion here. You mentioned having run MalwareBytes which removed a lot of bad things.

Do you mean you can't run it with the same name you used the first time?

First let's try changing your settings in Windows Explorer. Right-click on Start and select Explorer. In Explorer go to Tools / Folder Options and select the View tab.

Uncheck the one that says Hide known extensions
Uncheck Hide protected system files
Check the one under Hidden Files and Folders that says Show all files and folders

You can set these back to the default settings later.

Now try running SDFix:


Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.



Let me know how this goes. Also, if you have a log from the first time you ran MalwareBytes, please post it here.
Thanks.

Zllio

Edited by Zllio, 19 November 2008 - 08:29 AM.


#5 lexzl

lexzl

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 03 December 2008 - 04:18 PM

Hey I'm new to the site and I've had a similar problem to the guy above. My computer has all the symptoms of minus the advertisements for the fake antivirus.

I got around that with malwarebytes but just like him I'm still worried. My internet SEEMS to be okay except it's running fairly slow. Then again I may just have bad internet. I'm looking through system32 right now and came across TDSSorvd.dat I'm not sure if that's a problem but I looked at the harddrive and found a folder called Avenger. Within I found these files:

TDSShrsr.dll
TDSSkkdu
TDSSlxwp.dll
etc.

The second one seems to be a logfile of some sort. I'm not sure if this is something critical for my computer OR spyware.

#6 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 04 December 2008 - 08:05 AM

Hi lexzl,

I recommend that you go through the whole set of cleaning procedures, which will include some of what you've already done. Malwarebytes should remove those files. There are specific instructions for using MalwareBytes down towards the bottom of the page under

How to Remove Antivirus Pro 2009

Zllio

#7 lexzl

lexzl

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 04 December 2008 - 03:10 PM

I just went through the step-by-step and it found nothing new.

However as I said before I had all the symptoms (i.e. The random shutdowns, redirected google page, corrupted AV, inability to view AV sites, etc.) except Antivirus Pro 2009 being installed. Which is why I'm at such a loss. I ended up posting my logfile on highjackthis but so far I've not gotten a response. I'll wait until my thread reaches the end of page 3 (Since everyone has at least 1 post on that page) before moving the log here. The thread moves slowly so I don't think that will be the case for a few more days.

I decided to delete the Avenger folder I found and am contemplating deleting the TDDSorvd.DAT as well. There hasn't been any change in pc performance so I think the deletion of the folder was a safe call. I'll delete TDDSorvd after a response.

Nevertheless, thanks for the feedback, I just hope this doesn't end in a reformat.

#8 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 05 December 2008 - 03:30 AM

Hi lexzl,

The files you mentioned finding in the Avenger folder belong to a rootkit which is associated with Antivirus Pro. Normally they are removed by MalwareBytes. It would be a good idea to pursue things with the HJT forum, because they can use additional tools which will look at all the files that were put onto your computer since the virus got started. The unfortunate drawback of the HJT forum, is that there are not enough people who meet the qualifications to help all the people who need help. If you've already done all the instructions listed in this thread, then it would be good to wait until you've gotten a response to your HJT thread, if for no other reason than to close out the possibility of further rootkits and to declare your computer clean. While you're waiting, I recommend avoiding using your computer for any financial transactions.

Zllio




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users