Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New (ancient) User


  • Please log in to reply
15 replies to this topic

#1 wicca

wicca

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 02 December 2006 - 07:16 PM

Hello, first post from a beginner who is struggling with jargon and tech talk, so be gentle please :thumbsup: I am running Windows XP on a laptop and in 2005 downloaded a free antivirus programme from a well known supplier. After 12 months I replaced it with a new programme from a different source, and a later scan indicated that there was a Trojan?? in the system and the indication was it had appeared via the old antivirus programme!! All attempts by me to remove the old programme via the normal facility produce a window saying " files cannot be found" I have ( by pure luck) found the programme is on the 'D' drive in the computer but even a programme called c cleaner did not solve the problem when I highlighted the old antivirus for removal, and it is apparently still running...I am considering 1) a large sledgehammer or 2) seeing if my laptop floats in deep water. Is there a less expensive solution to the problem please? wicca

BC AdBot (Login to Remove)

 


#2 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:07:45 AM

Posted 02 December 2006 - 07:40 PM

1) a large sledgehammer

Sledghammers are not very expensive! :flowers:

Welcome to BC! :thumbsup:

Well, let's see... let's start simple and if need be we will get tougher with this problem of yours!

in 2005 downloaded a free antivirus programme from a well known supplier

Who is the supplier, what is the name of the program we are dealing with here?

After 12 months I replaced it with a new programme from a different source,

And what program is this one? Did you delete the old one first or just start using the new one? (It is not good to be running 2 antivirus programs).

and it is apparently still running...

How do we know this?

and a later scan indicated that there was a Trojan?? in the system and the indication was it had appeared via the old antivirus programme!!

Depending upon what programs we are dealing with here, the trojan could have been removed by the old program and put into a 'vault' or safe place so it could do no harm to your system. But then scanning with the second program found the virus, and it was in a file with name of the first program. At least that is my first theory given the little information I have so far.

One more question: Please go to Start > Control Panel > Add/Remove Programs and tell me if you see the old program still listed there.

Please answer all of my questions above and that will give us more to go on.
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#3 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:06:45 AM

Posted 02 December 2006 - 07:57 PM

What is the name and version of the old av program you are trying to remove, and how did you try to remove it - just Ccleaner or did you look in add/remove programs in the control panel or look in your programs menu to see if the program was listed and if so did it have its own uninstaller? You should have only one resident, working anti-virus program at a time. Using more than one will conflict, give false positives and make the av program ineffective.

I recommend that you (as a non-expert at the registry), never, never, never! use any registry cleaner again or any programs that modify or alter the registry unless you are being supervised by someone expert at the registry who directs you to do so. (even one like Ccleaner which has the reputation of being one of the safer ones, but even it will allow you to make a mistake and alter the registry to the point that you would require a Windows Installation disk and a lot of expertise to repair the damage)
The one exception to this would be the Microsoft Windows One Care Safety Scan, because it relies on the expertise in registry of the Microsoft engineers who wrote it, and not on any input requiring a choice from you. Any mistake you made modifying the registry using any other program could render your computer totally inoperative.

Have you removed the trojan at this point?
What did you use to do that?

In order for an av program to be at all effective it must have its definition files updated on a regular basis. Most if not all major av programs can and should be set to do this automatically.

The first order of business would be to run the Windows One Care Free Scan

Go to Windows Live Onecare Free Scan (using Windows Explorer only)
It will say "Get a free PC safety scan"
http://safety.live.com/site/en-us/default.htm

Make sure you click "Full Service Scan" in the middle of the page and
not the "Try It Now Free" on the right side.

Allow it to download the Active X components.
Choose "Complete Scan" in the window that opens
Click "Next"
Do not click on anything else that offers you a free trial or to sign up if you live in the US.

Allow it to scan - it may take quite, maybe two hours or so depending on how big your hard drive is and how fragmented your registry and drive are.

After it completes, reboot the computer.

Then look in add/remove programs and see if the old av program is listed. If it is, use the add/remove programs utility to remove it.

If the uninstallation is successful, reboot and continue:

Make sure your current resident av program is operating properly. Update it manually and perform a complete system scan (on all partitions and hard drives).
Make sure it is set to update automatically at least once a day.
Which current AV program do you have installed?
In order to be effective (or even work at all) it must be current and kept updated. If you let it expire it is the same as not having one at all.

If you have any problems with any of the above, post back here and we will sort out whatever problems you experience.

What other anti-spyware and anti-malware programs do you have installed on your computer? We need to make sure the trojan has been removed, because if not completely removed it can regenerate, reinstall itself and reinfect your computer.

At the very least here are three freeware anti-malware programs that I recommend you download, install, update definitions and then run.
(you should run these once a week or so or whenever you think you might have downloaded something nefarious or been infected by an accidental download.

Ad-Aware SE Personal - freeware
http://fileforum.betanews.com/detail/Adawa...nal/965718306/1

Spybot S&D:
(Update – Aug 2006 - Spybot by default now ignores certain products such as New.Net and Sidestep for no good reason. New.Net compromises the WinSock stack by routing all your DNS queries through the NewDotNet.DLL. To enable detection go to "Settings", "Ignore products", "All products" Tab, right click on "Product", left-click on "Deselect all". Once you do that it will return to being one of the best anti-malware programs available)
http://www.safer-networking.org/en/index.html
Be sure to enable “Teatimer” which gives you realtime protection (monitoring) against malware invasion.

Microsoft Windows Defender
Windows Defender will give you an additional tool in your control panel named Software Explorer which is excellent for examining software installed on your computer, its startup menu, etc which will help you identify what it is.
http://www.microsoft.com/athome/security/s...re/default.mspx
This also provides realtime monitoring protection.

Do you have a two-way firewall installed or are you just using the ineffective one-way Windows XP firewall that came with XP?
If what you are using is the Windows firewall, I suggest that you download one of the following two-way firewalls.

Software firewalls with freeware versions
(Run only one and disable the ineffective Windows XP firewall)

ZoneAlarm (freeware) V. 6.5.722
http://www.download.com/ZoneAlarm/3000-10435_4-10039884.html
(you can have only one software firewall running. More than one will conflict)

Comodo firewall (freeware)
http://www.personalfirewall.comodo.com/

There are a few others available too, but the two I linked are both good, so pick one or the other. I personally have ZoneAlarm and recommend it highly. Do not succumb to their attempts to upgrade you to any of their paid versions - if you use the other anti-malware aps I recommended you will already have the capabilities of everything you need that their paid versions have.

Zone-alarm will automatically disable the Windows firewall when you install it. I am not sure if the others do, but you should have only one software firewall working or they will conflict with each other.

Edited by Enthusiast, 02 December 2006 - 08:03 PM.


#4 wicca

wicca
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 03 December 2006 - 07:08 AM

:flowers: Oh dear! even this reply is my second attempt!!! Still at least that comment gives you gentlemen some indication of just what you are dealing with here...Mr Frankenstein :thumbsup: the original antivirus was Panda Titanium, a free download, which I replaced with AGV. (ironically because Panda kept bombarding me with "Buy this" "upgrade to that" emails.
Using the feature on the control panel "add remove programmes" I can see that the Panda programme is still there and when I click and highlight it for removal a window appears " cannot find files"
Using ALL of my magnificent technical skills I went to 'Search' in the control panel and entered 'Panda' and was shown that it excisted in drive 'D'. and at some stage in my attempts to remove it, I think when using the CCleaner programme, I was notified "Programme still running".

Enthusiast, your comment about the Trojan being found by AGV after it had been discovered by Panda could well be true, although when Panda was the only antivirus programme on my computer there was never any indication that it had found anything when doing automatic searches. I now do regular manual searches with AGV which occasionally turns up things called...tracking cookies??
I also have a programme Spybot running. I will print off your kind answers and endeavour to follow them step by step.
Now, I hope you are both sitting down...the reason I chose to install Panda Antivirus....my Grandaughter liked the little emblem!!!! True..sorry lads. Regards wicca.

#5 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:45 AM

Posted 03 December 2006 - 07:47 AM

Before doing what Panda recommends, you may want to consider reinstalling the program, if you can. Then use Windows to uninstall in safe mode. If you do follow the Panda instructions to manually delete, make sure you have backed up your registry FIRST!!
--------------------------------------------------------------------------------

Go to Start, Run, and type in regedit; click OK and the Registry Editor will open.

At the top of the Registry window, click on File, and then click Export... An Export Registry File window will open; choose a location to save the backup to (like My Documents), and give it a name (like Panda Removal), and then click the Save button.

You now have a backup of your registry in case anything goes wrong
--------------------------------------------------------------------------------


From Panda:

Dear Customer

In order to uninstall the Panda Antivirus Titanium program manually proceed as follows, deleting the entries in the Registry and files detailed below. However, if at any time the entries or files cannot be found, continue with the uninstallation process, as depending on the version installed the files or entries may or may not exist.

Follow the steps below:

First attempt to remove Panda from Control Panel, Add remove programs. Once this is done, make sure that there are no Panda Services running in the Services section in Control panel. Ensure they are stopped and set to disabled.

Open the Registry from Start, Run, write REGEDIT, and click on OK. Highlight 'My Computer' at the top of the list, then go to 'Edit' and 'Find'. Type 'panda' into the box and then click on 'Find Next'. This will search the Registry for panda files. When it brings up a folder or file, press 'delete' or right-click on the highlighted file/folder and select 'delete' from the menu to remove it. Then press 'F3' to search again and find the next Panda entry.

Continue to search and delete Panda entries in the Registry until no more entries are found. Then repeat this process, this time searching for 'pav'. When both searches are complete, close the Registry and restart the computer.

Once this operation has been carried out, using Windows Explorer delete the Panda Software folder that is below C:\Program files. You should also delete the following files Windows \system: PAV.SIG, APVXD.VXD, APVXDUT.VXD, PANDA.CHP.

By carrying out these operations, Panda Antivirus Titanium will be uninstalled.

Regards
Technical Support

Panda Software

I suggest that you backup your registry before making any changes to it. If you need help with any of Panda's instructions, feel free to ask us.

By the way, it is AVG, not AGV. I believe you have the AVG 7.5 AntiSPYware--not AntiVIRUS
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:07:45 AM

Posted 03 December 2006 - 09:56 AM

I believe you have the AVG 7.5 AntiSPYware--not AntiVIRUS

I am just curious as to why you think that?
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#7 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:45 AM

Posted 03 December 2006 - 10:48 AM

Wicca said his "AGV" found tracking cookies. I don't think the antivirus AVG will do that. Should have pointed that out earlier.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 wicca

wicca
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 03 December 2006 - 04:44 PM

Hello Folks, I've been wading through the help and advice the three of you kindly gave me with regard to the immovable Panda creature. I just looked at your last entry Buddy, I do apologise mate, the comment I made about cookies, now I think about it was shown after a search by spybot not AVG but it just illustrates to me how switched on you folks are. The AVG is definitely an antivirus programme.
Anyway, back to square 1. I made another attempt at removing our furry friend via the control panel and change/remove programmes. A window appeared saying 'error extracting support files, cannot find files specified' As a matter of interest although it means little to me the Panda programme as shown in the list read 2637MB.
I then went through the proceedure with the registry editor, my computer, find etc: I'm pleased to say I actually managed to put a copy of the registry in 'My documents' before I started bumping off anything that appeared with Panda in it. The end result ( so far ) is, he has disappeared from the control panel window which lists the programmes for change/remove, but when as a further check I used 'search' under files/folders there are still traces of him shown as D/compdata and D/prog files/common files. Both these show 0 kb, if that means anything. There are however 2 entries in blue type!! D/1386/computer data. 1 KB shown as HTML doc: the second one also blue, and 1KB says text document. Any attempts at clicking and 'delete' leads to a window with the same old song, 'error extracting support etc:'

I have no idea how to find out if the remaining files are causing any problems,certainly the computer seems to be functioning well enough given the extremely limited capabilities of the operater :flowers: but I think I can ( or rather you can) claim a 75% success.
Now, where did I leave my old Olivetti typewriter? Now that I can fix!!! :thumbsup: wicca.

#9 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:45 AM

Posted 03 December 2006 - 05:12 PM

So, all is well? Have you run a scan with AVG to see if it still finds the malware? Sounds like you may have gained a lot of free space on your HDD. Just curious, have you looked in your recycle bin to see how much was deleted?
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:06:45 AM

Posted 03 December 2006 - 10:42 PM

AVG is now two different programs -
* AVG Anti-Virus Free
* AVG Anti-Spyware Free
I sugget you get and use BOTH!
http://free.grisoft.com/doc/1

Avg anti-spyware used to be Ewido and when Ewido sold it they charged for it. Grisoft is offering it free, and it is really good.

Did you run the Windows Live One-Care scan?
You need to do so because it will delete orphaned registry entries left by Panda.

The i386 file is a Windows System File, in fact your main Windows System File. DO NOT EVER TRY TO DELETE OR CHANGE ANYTHING IN IT UNLESS YOU ARE BEING SUPERVISED BY AN EXPERT!
This file should be hidden and not even be able to be seen!

Where is your Windows XP installation - in drive "D"? or C?
What else is in drive D? (it may or may not be just a backup file - depending on what is in it and where Windows is installed)

Did you do the other things I suggested in my post?

Oh, and do not run Spybot in any mode other than "default" - NEVER "Advanced"!

Tracking cookies are issued every time you go to any website. They are not nefarious and you can clean them any time you want to do so. Most scans will automatically give you the option to delete them or you can do so by clicking on tools/internet options on your browser.

#11 wicca

wicca
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 04 December 2006 - 12:10 PM

Enthusiast, good afternoon. I printed off all the original advice you gave me and will slowly work my way step by step through each item. I suspect tasks which take me ages to complete are run of the mill jobs to regular computer users. The Windows installation is in drive 'D'. The antivirus programme I have is the one you speak of AVG Anti-Virus (free download) At the time of installing it I had hoped to install the EWIDO anti-spy but it was not available at that time due to the change of ownership,so I used SpyBot instead.

As stated to Buddy 251, there are still Panda files here, and attempts at shifting them invariably result in "Access denied" I will carefully go through the whole proceedure again, follow the guidance you kindly laid out, and let you know the result. I understand now why people who are keen on computer use get so upset when difficult problems occur. I take the view that having survived 63 years without using one, I can afford not to let it bother me. It's interesting though and I appreciate all the help. Wicca.

#12 wicca

wicca
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 04 December 2006 - 07:38 PM

Ha! back again..retried the deletion process right from the beginning as advised in your post - Buddy 215, although it appeared to be from Panda support?? Lost me now.
Followed the steps carefully with the registry-find etc:

Entry..D/program files/panda software/panda titanium antivirus.
Panda server
panda antidialer
panda pavkre
panda pavprot
All of these, when I try to delete produce a window - " Error on deleting values"-" unable to delete all specified values" And I've no doubt loads more which are still there after TWO complete runs through as per the instructions, from -panda support' ?? :thumbsup:


When I go to 'search' on the start up menu, type in panda up comes:
Panda software D/prog files 25.7MB
Panda software D/progfiles/common files 760KB
panda titanium antivirus 2005 D/prog files/panda software 25.7

ALL attempts at transfer to My documents then recycle bin (thinking I could delete that way fail. clicking on item and trying to delete that way also refused.

So, if you are not bored with all this nonsense, any more suggestions as to what I might try? One of my mates has suggested I stuff bamboo shoots into the laptop to try to coax the panda out....mmm! might just try it too. :flowers: :trumpet: wicca

#13 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:45 AM

Posted 05 December 2006 - 12:04 AM

Try deleting while in safe mode.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#14 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:06:45 AM

Posted 05 December 2006 - 02:22 AM

When you get a chance go back to AVG and get their anti-spyware too.
It will work in addition to Spybot and is an excellent program (which it was before Ewido sold it to AVG)

At this point is Panda causing any problem?
Can you see it (or any component of it) running in your startup menu?
(Use Startup Inspector to manage your startups as it will help you identify the startup entries far better than will msconfig.
Startup Inspector:
http://www.windowsstartup.com/download.php

If you see any part of Panda in the startup menu (click "All Startup Items - top left in left panel) disable it. At that point it should stop being problematic.

#15 wicca

wicca
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 05 December 2006 - 06:19 PM

Hello Enthusiast, I downloaded the Windows Startup Inspector you mentioned and various Panda programmes appeared on it. When highlighted, disabled in startup and clicked for delete in the window which opens in the Startup programme it states " This programme does not excist" in red print!

Going to 'D' drive ,looking in 'files' shows Panda Titanium Antivirus 2005 25.7 mb. Now if it does not excist why does it keep appearing and using space? is that the right expression on the discs? I have had no problems with this panda programme (at least to my knowledge) but it's there, taking up space, an independent virus scan by AVG seemed to suggest the panda was at least connected to something that was thrown out. A simple file shredder gives a completely false response ...so many files shredded. Then "error" files not available or similar.

Tell me, if "secure mode" is an accepted computer term, why can I not find it in indexes and glossaries when I try to look it up? Have the boffins finally outsmarted themselves with jargon and confused the computers? When I 'search' secure mode and get "no result available" :thumbsup: :flowers: :trumpet:

I'll leave this laptop for a few days as I've got to travel, but a widening circle of "experts" (so they claim) are happy to play with it while I'm gone and the reluctant to leave panda is certainly generating publicity in this neck of the woods. regards wicca




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users