Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2009?


  • This topic is locked This topic is locked
20 replies to this topic

#1 squinkler

squinkler

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:adelaide
  • Local time:08:24 PM

Posted 02 December 2008 - 12:12 AM

Not sure what the virus is exactly...it blocks access to helpful sites like bleepingcomputer, redirects from browser search results to a variety of "antispyware" sites including Antivirus 2009 and stops running EXEs like the HijackThis installer unless you rename the EXE.

Spybot, MalwareBytes both identified a TDSS trojan, but it seems to reappear after a restart.

Any help gratefully appreciated, RSIT logs are attached.

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 AM

Posted 08 December 2008 - 12:55 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

Please transfer any files to the problem computer and rename the .exes if needed (try without renaming first though).

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..

In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 squinkler

squinkler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:adelaide
  • Local time:08:24 PM

Posted 09 December 2008 - 02:06 AM

Hi Panda,

Thanks so much for helping out. mate. Much appreciated indeed...

The only change I've made from my original posting was to *try* and install the Kaspersky Int'net Security Trial version. It required that I clear out the existing Antivirus apps, so I uninstalled AVG (unsuccessfully - there's still something floating around in there that's preventing the Kaspersky install.

OTScan log is attached, here is the GMER log.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-09 17:29:21
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code E1BBDA10 ZwEnumerateKey
Code E1AC5A50 ZwFlushInstructionCache
Code EEADAEAB pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP E1BBDA14
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP E1AC5A54

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[1844] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[1844] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[1844] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C5000A
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2724] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\TDSSmyvp.sys (*** hidden *** ) EEAD9000-EEAEB000 (73728 bytes)

---- Threads - GMER 1.0.14 ----

Thread 4:392 EEADBD66

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\TDSSmyvp.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmyvp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmyvp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSjoub.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSejvk.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSurte.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrxsn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSecen.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSqxum.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSachc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSmheu.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkckq.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmyvp.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmyvp.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSjoub.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSejvk.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSurte.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrxsn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSecen.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSqxum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSachc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSmheu.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkckq.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@affid 5
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@subid 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@control 0x09 0x19 0x1F 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@flagged 1

---- EOF - GMER 1.0.14 ----

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 AM

Posted 09 December 2008 - 02:39 AM

Hello squinkler.

We'll get rid of the leftover AVG components later.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Right click and extract avenger.exe to your desktop
  • Start the Avenger by clicking on its icon on your desktop.
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Drivers to Disable:
    TDSSserv.sys
    
    Registry keys to delete:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData
  • Click Posted Image to paste the script from the clipboard.
  • Click the Execute button
  • Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.
Run Fix with OTScanIt
We will run OTScanIt with directives. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Kill Explorer]
    [Registry - Safe List]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper]
    YN -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgssie.dll [AVG Safe Search]
    YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "Symantec PIF AlertEng" -> %CommonProgramFiles%\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe ["C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"]
    [Custom Items]
    :files
    C:\WINDOWS\system32\drivers\TDSSmyvp.sys
    C:\WINDOWS\system32\TDSSjoub.dll
    C:\WINDOWS\system32\TDSSejvk.dat
    C:\WINDOWS\system32\TDSSurte.dll
    C:\WINDOWS\system32\TDSSrxsn.dll
    C:\WINDOWS\system32\TDSSecen.dll
    C:\WINDOWS\system32\TDSSqxum.dll
    C:\WINDOWS\system32\TDSSnmxh.log
    C:\WINDOWS\system32\TDSSachc.dll
    C:\WINDOWS\system32\TDSSmheu.log
    C:\WINDOWS\system32\TDSSkckq.log
    :end
    [Reboot]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Please post back with:
-the Avenger log
-the OTScanIt fix log
-a new OTscanIt scan log (settings at default, attached) You may run out of attachment space. If so, go to your Control Panel to remove your previous attachments to make room for new ones.
-a new GMER log

With Regards,
The Panda

#5 squinkler

squinkler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:adelaide
  • Local time:08:24 PM

Posted 09 December 2008 - 05:18 AM

Thanks Panda...
I followed instructions but the OTScantIT fix hung, restarted it, but no Notepad log was displayed after reboot. I think I found the log files, though...they're both attached.

Process Explorer.EXE killed successfully!
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Symantec PIF AlertEng deleted successfully.
[Custom Items]
========== FILES ==========
C:\WINDOWS\system32\drivers\TDSSmyvp.sys moved successfully.
C:\WINDOWS\system32\TDSSjoub.dll moved successfully.
C:\WINDOWS\system32\TDSSejvk.dat moved successfully.
C:\WINDOWS\system32\TDSSurte.dll moved successfully.
C:\WINDOWS\system32\TDSSrxsn.dll moved successfully.
C:\WINDOWS\system32\TDSSecen.dll moved successfully.
C:\WINDOWS\system32\TDSSqxum.dll moved successfully.
File/Folder C:\WINDOWS\system32\TDSSnmxh.log not found.
File/Folder C:\WINDOWS\system32\TDSSachc.dll not found.
File/Folder C:\WINDOWS\system32\TDSSmheu.log not found.
C:\WINDOWS\system32\TDSSkckq.log moved successfully.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.2.1 fix logfile created on 12092008_201845

Attached Files


Edited by PropagandaPanda, 09 December 2008 - 08:49 PM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 AM

Posted 09 December 2008 - 09:00 PM

Hello.

That looks much better :thumbsup: .

Please all versions of Java except "Java™ 6 Update 10" using Add/Remove Programs.

Run a Script With the Avenger
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Drivers to delete:
    TDSSserv.sys
    
    Registry keys to delete:
    HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys
  • Start the Avenger by clicking on its icon on your desktop.
  • Click Posted Image to paste the script from the clipboard.
  • Click the Execute button
  • Answer Yes twice when prompted.
  • On reboot(s), a log will open. Post back with it.
--
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

-----
Install AVG over what's left of the current installation. Uninstall it to remove all the components. Alternatively just keep AVG for now.

Please take a new OTScanIt log after all that. You may run out of attachment space. If so, go to your Control Panel to remove your previous attachments to make room for new ones.

With Regards,
The Panda

#7 squinkler

squinkler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:adelaide
  • Local time:08:24 PM

Posted 10 December 2008 - 01:56 AM

PP,

I'm having a few problems. The Avenger script ran fine.

The Kasperksy online scanner, on the other hand, keeps telling me that I need Java R1.5 or later.

I downloaded and installed the latest Java version, all to no avail.

I do have a Kaspersky 30 day trial app...should I try and install that and run a scan?

Attached Files



#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 AM

Posted 10 December 2008 - 02:58 AM

Hello.

Go ahead and install the Kaspersky.

Also include a new HijackThis log.

With Regards,
The Panda

#9 squinkler

squinkler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:adelaide
  • Local time:08:24 PM

Posted 10 December 2008 - 03:36 AM

Thanks for your help, PP

>> Go ahead and install the Kaspersky
Unfortunately, it still thinks that there's an AVG component in there, in spite of me having installed/uninstalled it.

On the plus side, I've managed to get the online scanner working by enabling a Java browser add-on, so will post that log when done.

And the HT log too.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 AM

Posted 10 December 2008 - 04:50 AM

Hello squinkler.

Something else for your to-do list :thumbsup: . Take your time. I probably won't be replying again until tomorrow.

Open OTScanIt and paste this into the Custom Scans. Leave other settings at default. Run the scan and attache the log please.
c:\program files\avg\*.* /s
View Point Program
Viewpoint Manager and Viewpoint Media Player are considered as foistware instead of malware since it is installed without users approval, but does not have malicious effects. This changed from what we know in 2006 read this article.

I suggest you remove the program(s) through Add and Remove Programs.

With Regards,
The Panda

#11 squinkler

squinkler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:adelaide
  • Local time:08:24 PM

Posted 10 December 2008 - 06:50 AM

Finally done on the Kasperksy scan.

Three lovely logs for your delectation...

Catch you tomorrow :thumbsup:

Attached Files



#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 AM

Posted 10 December 2008 - 07:45 PM

Hello squinkler.

Those logs look clean. Kaspersky just found some leftovers, which OTScanIt sould take care of.

Put this into the OTScanIt fix box:
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgssie.dll [AVG Safe Search]
[Files/Folders - Created Within 30 Days]
NY -> AVG -> %ProgramFiles%\AVG
NY -> AVGTOOLBAR -> %AppData%\AVGTOOLBAR
NY -> avg8 -> %AllUsersProfile%\Application Data\avg8
NY -> avg_avwt_stf_all_8_87a1276_cnet.exe -> %UserProfile%\My Documents\avg_avwt_stf_all_8_87a1276_cnet.exe
[Files/Folders - Modified Within 30 Days]
NY -> 6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 30 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
[Custom Items]
C:\Documents and Settings\James\Local Settings\Temp\*.tmp
:end
After that, try to install Kaspersky again. If still no go, try the "Avg uninstall tool". Note that I haven't tried this program before. Running it through all the scanners comes up clean though.

Post back with the OTScanIt fix log and a new HijackThis log please.

Are you having any problems right now other than not being able to install Kaspersky?

With Regards,
The Panda

#13 squinkler

squinkler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:adelaide
  • Local time:08:24 PM

Posted 10 December 2008 - 09:06 PM

PP,

Here's the logs...

Still no joy on the Kaspersky install. The uninstaller isn't recognising that AVG installed (it isn't, of course) so doesn't give me the option to uninstall it.

I'll try resinstalling and then uninstalling but the OTScan fix seemd to delete the install EXE :thumbsup: so I'll have to download it again, reinatall and uninstall.

I'll keep you posted...

Cheers again...you're a legend.

Attached Files



#14 squinkler

squinkler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:adelaide
  • Local time:08:24 PM

Posted 10 December 2008 - 09:08 PM

Oh, yes...everything seems to be peachy apart from the Kaspersky install. I can live without it if worst comes to worst and use other AV software

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 AM

Posted 10 December 2008 - 09:45 PM

Hello squinkler.

There's not much we can do about Kaspersky not installing. Trying another would be your best bet.

Not a good idea to surf without an AV, even for a while.

Any of these are good choices.After installing, update the database, run a full system scan and remove any items found.

Please take a new HijackThis log after installing one.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users