Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

does Avg interfere with Rkill


  • This topic is locked This topic is locked
14 replies to this topic

#1 downwardly mobile

downwardly mobile

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 04 March 2011 - 07:45 PM

I am debugging a friendís computer. It is a Dell Latitude D620 running XP Home 2002 sp3. Internet Explorer version 7.0.5730.11. I am knowledgeable about computers (have old degrees) but am not a sys admin.

HISTORY
The computer was infected with the system tool virus around 2/25/2011. It was running a paid version of Avg antivirus at the time but the firewall may have been off (or was turned off by infection).

Logged on in safe mode, I ran Avg antivirus with an up to date virus database. (I didnít get to see the results, unfortunately, so I donít know what was found.)

I followed the instructions on bleepingcomputer for system tool removal (including replacing host file). However, Malwarebytes did not find the system tool virus; it only reported many Potentially Unwanted Programs related to a toolbar (maybe del.icio.us) which I removed.

CURRENT SYMPTOMS
System Tool fake antivirus popups no longer appear so maybe it is gone.

In both safe and normal modes, internet explorer is redirected to random sites about 75% of time when selecting sites found by search engines. I tested google, live, and yahoo. Links on web pages not redirected. Sometimes multiple redirects happen on one selection. I am redirected both to other search engines and to random sites. Disabling addons did nothing.

I cannot update windows in safe or normal mode. Internet explorer says it cannot display the update site but I can go to other sites.

In normal mode, I get lots of popups while running internet explorer. (might have stopped - thing keeps morphing!)

Neither Avg nor Malwarebytes reports any problems.

I donít see anything obviously strange in taskmanager.

Avg Identity Protection keeps popping up messages about detected malware which it claims to remove (e.g. temp/rarsfx8/userinit.exe). I have no idea if this is for real.

(In normal mode, Rkill runs but does nothing under any of the download names. (I see it running in taskmanager, but itís screen doesnít even appear). In safe mode, different processes have been stopped (I donít remember the first one, the second one was windows/pchealth/helpctr/Binaries/helpsvc.exe). In the most recent try rkill stopped nothing. Rkill behaves the same way on my noninfected machine. Does rkill run in normal mode?)

What should I do next? Another antivirus program? Which one? I see other posts with similar symptoms, but these symptoms seem so generic that I don't want to assume machine has same thing. Iíd like to know what the virus is before I start deleting things! :-) Thanks.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:31 AM

Posted 04 March 2011 - 08:10 PM

You may need some assistance from the Malware Removal Team, so please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#3 downwardly mobile

downwardly mobile
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 05 March 2011 - 12:27 PM

I am debugging a friend's infected computer and have discovered that rkill won't run on my theoretically uninfected machine either, which has me worried. Both machines are running the paid version of Avg. On my machine I can download and run rkill under it's various names but it usually doesn't even put up its screen. The process is listed as running by taskmanager but accrues no cpu time. The one time it put up its screen it stalled even before it asked me to be patient. I waited about half an hour before killing it. I tried saving it to a data folder rather than desktop and used "run as" myself (no second user on machine) as earlier post suggested too. I will try creating a guest account or admin.

Do I need to worry that my machine is infected too or just need to turn off Avg (hope)?
thanks

#4 downwardly mobile

downwardly mobile
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 05 March 2011 - 12:36 PM

I was able to download and run the programs to create dds.txt, attach.txt, and ark.txt, but cannot post the results. When I select "post to forum" (or whatever button is labeled) after creating the post, I get "Internet explorer cannot display webpage." I tried in both normal and safe modes. Of course, internet explorer can display other pages just fine and diagnose connection shows all is fine.

SO...I selected and copied the contents of the 3 files into 3 emails to myself with the intent of posting to the malware removal forum from another computer. Each time I did the copy into the email, there was a LONG delay (several minutes) when the mail process was unresponsive, as if something more might be being copied. I use gmail. Should I open these emails or do I risk infecting another machine?
thanks

#5 downwardly mobile

downwardly mobile
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 05 March 2011 - 01:03 PM

typo in topic title. Meant does Avg interfere with rkill. Getting frazzled. I also meant to post this as reply under rkill topic. How do I delete this topic since I cannot edit topic name?

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:31 AM

Posted 05 March 2011 - 01:04 PM

Can you try attaching the files to the post?

#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:31 AM

Posted 05 March 2011 - 01:11 PM

How do I delete this topic since I cannot edit topic name?

Just send a 'Moderator' a PM, give them the link to the thread and ask them to make the changes for you.

BBPP6nz.png


#8 downwardly mobile

downwardly mobile
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 05 March 2011 - 01:26 PM

I was worried that if I attached the files I would be more likely to transmit the virus. My fear is based only on the fact that people always tell you to never open attached files if you are worried there might be a virus! Attaching the files would be easier certainly.

#9 downwardly mobile

downwardly mobile
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 05 March 2011 - 01:41 PM

How do I PM a moderator? I searched help and starter topics. I found out how to send a private message (PM? I assume) but typing "moderator" for recipient didn't work. :-) And by link I assume you mean the url that opens when you go to the specific topic? I feel so ignorant...

#10 coles1mom

coles1mom

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:31 PM

Posted 05 March 2011 - 01:48 PM

Hi downwardly mobile,

I don't have AVG but I do know Kaspersky needs to be paused to run rkill.

#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:31 AM

Posted 05 March 2011 - 02:12 PM

Attach the files to your post in the malware section.

#12 downwardly mobile

downwardly mobile
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 05 March 2011 - 02:20 PM

The infected machine won't let me post to bleepingcomputers so I emailed the contents of the files to myself so I could reconstruct the files and create the post on another machine (with the files attach and ark attached as specified). However, after working on viruses for a few days I am totally paranoid and am worried about opening the emails to myself containing the data from the files dss.txt, attach.txt, and ark.txt sent from the infected machine. Gmail behaved very oddly when composing the emails.

I was hoping for assurances that cutting and pasting text from emails couldn't possibly transfer a virus (I cannot imagine how but see afore mentioned paranoia!).

thanks

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 AM

Posted 05 March 2011 - 02:26 PM

Hello, to avoid any confusion I have merged both topics you made. I also edited the topic title. :)

Because of the problems you have with posting logs, please try to follow the steps in this guide

Please do not create any other topic for now, instead post back here.

Edited by elise025, 05 March 2011 - 02:27 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 downwardly mobile

downwardly mobile
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 05 March 2011 - 03:01 PM

Thanks. I am ready now to post to the malware removal forum as was originally requested. It does sound like I have TDL3 (dss reports TDL3). Should I go ahead and run tdsskiller or proceed with the malware forum post including datafiles as I had intended?

I went ahead and posted to malware forum.
link to post in malware forum

Edited by downwardly mobile, 05 March 2011 - 03:13 PM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,105 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 AM

Posted 05 March 2011 - 03:17 PM

That is definitely a rootkit infection. To avoid further confusion, I'll close this topic and reply in the other topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users