TechSpot

Avg has trojan sheriff in vault

By shetawk
Mar 6, 2008
  1. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    :Run Kaspersky Online AV Scanner:

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  2. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    Here it is...2 viruses, 5 infected files... Thank you..

    See attached file.

    Thank you. ST
     
  3. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    Some of those files are from avg and othere from windows...

    Are they all bad?

    ST
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    No, you are infected. But as the log says at the top 2 viruses and 5 total infections.

    I am going to look back through the last few logs and will be back in a little while.
     
  5. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    Symantec scan showed nothing wrong...

    That's why I stopped subscribing to them years ago.

    Trend caught 2 viri that Sy missed. ST
     
  6. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    F-Secure said not-virus bad joke was virus

    Why are all the reports different?
     
  7. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    Ran F-Secure again and it did same thing...

    Ran F-Secure again and it did same thing...

    Will see if Kaspersky changes opinion. Thank you. ST
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Hi shetawk, sorry for the delay, as you can tell we get pretty busy around here.

    AVG Anti Spyware
    • Download and install the latest version of AVG Anti Spyware
    • Click Save File on the box that pops up after clicking the link
    • The AVG installer will download to your desktop, Double click on this Icon
    • In the installer Click Next, I agree, Next, Install, after it extracts the files, check box to launch AVGAS then Finish
    • With the program launched, Select the Icon at the top that says UPDATE then Start Update in the left pane
    • Now select the Icon at the top that says SHIELD then at the top of the left pane change "Resident Shield is ..." from Active to Inactive
    • After the update click on the Scanner Icon at the top, then select the settings tab, in the first section "How to act?" click on recommended actions and change it to delete.In the reports section make sure it is set to Automatically generate report after every scan
    • Click back to the Scan tab and select Complete System Scan

    Attach the log back here
     
  9. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    Installed and ran avg spy...no report

    Installed and ran avg spy...no report

    Block saying "no report if not infected" was clicked, although I clicked "save scan report". There is nothing listed under "infections". There were usual shopping spythings and one copy of not-virus. Didn't find a way to copy info from report. Program supposedly deleted those files. Can I access them? Do I need to?

    Reinstalled AVG antivirus and it said there were no viruses.

    Ran Housecall again and it froze, didn't finish.

    Ran Kaspersky and it said there were still viri. (report attached.)

    Although my machine is running much better and faster, am concerned about change in shell32.dll file. Feel as though someone is looking over my shoulder and monitor will explode any second.

    Is there a way I can pull that file out of installation disk and reinstall without reinstalling the whole program? How can I know whether it's doing something it shouldn't?

    Thank you. ST
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Looking better, the kaspersky scan only shows a few things. 2 of the 4 infections it is finding are in a restore point.

    Can you please turn off system restore
    1. Click Start, right-click My Computer, and then click Properties.
    2. In the System Properties dialog box, click the System Restore tab.
    3. Click to select the Turn off System Restore on all drives check box.
    4. Click OK.
    5. click Yes to confirm that you want to turn off System Restore:

    After you are clean we will turn system restore back on.
    -----------------------------------------------------------------------------------------------------------------------------------------------------
    Go to start -> control panel -> add/remove programs and uninstall the following if there:
    SideStep

    Launch Hijackthis again and select Do a System Scan and Save a log. attach this log

    **I also need to know if you removed any entries with Hijackthis prior to attaching the log. One thing I was looking for is not there, but I see the file for it in the kaspersky scan. It looks like the entry had been removed but the file wasn't deleted.
     
  11. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    Just found out how to program reports on avg spy...

    Here it is.

    Subsequent report shows no intruders.

    Thank you. ST
     
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Excellent. Can you scan one more time with kaspersky just to be sure. Also let's secure some of the work you have done.

    You may still have this from the preliminary instructions.
    Crap Cleaner
    • Download from HERE
    • Close all browsers.
    • Run the program and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
    • Click the run cleaner button. Do this several times
    • You can also click the registry icon on the left if you want and scan for problems, select fix, then backup your registry when it pops up.

    Go to start -> Run -> type in combofix /u
    *note the space between
    *This will uninstall combofix
    *removes vundofix backups
    *removes quarentine files
    *creates a fresh clean restore point

    Remove Hijackthis from Start-> control panel -> add/remove programs
    Remove the 3 tools from step 10 (smitfraud, vundofix,virtumondobegone) by dragging to the recycle bin

    I recommend you keep
    1 anti virus program
    1 firewall
    Spybot S&D + Adaware 2007, or your choice of anti-spyware

    keep them updated.

    You can also turn on tea timer in Spybot:
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • check Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.
     
  13. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    Still have a virus...

    CC cleaned and I ran it a few more times with no more infection.

    Hijack this wasn't on my list of programs to uninstall on control panel. Found it on my start menu. Don't know whether it cleaned completely.

    Kaspersky says I still have a virus and damaged files.

    Why weren't they cleaned out by the other programs?

    Thank you. ST
     
  14. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    hijack this log again...

    Here's hijack again.

    Thank you. ST
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Use Windows Explorer to navigate to and delete the following folder:
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E

    Files:
    C:\Kitandkaboodle\Documents\~Documents2\Travel <-This folder only

    afterwards restart your computer and run kaspersky 1 more time. I think this should be the end of it.

    Also, before the next time I post
    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
     
  16. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    Attaching new Kaspersky - Thank you.

    Attaching new Kaspersky. Looks as though there's one added.

    - Thank you. ST
     
  17. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    Avg...

    AVG shows c:windows\system32\drivers\etc\hosts change but not virus.



    Running ad aware now.
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    The current infection found by kaspersky is in your recycle bin

    C:\RECYCLER\S-1-5-21-507921405-1965331169-839522115-1003\Dc6\SideStepSetup.exe/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.SideStep.g
    C:\RECYCLER\S-1-5-21-507921405-1965331169-839522115-1003\Dc6\SideStepSetup.exe WiseSFX:

    To remove it simply empty your recycle bin
    ----------------------------------------------------------------------------------------------------------

    Launch Spybot S&D and update it, then click immunize icon, after the green bar goes across once click the green + symbol to immunize your system.

    At the top click on Mode, then select advanced, then click on the tools section at the bottom.

    Hosts file will be one of the options -> double click it (once you use this program regularly, you can restore your host file to various dates, I have about 10 different dates to choose from on mine) but for now -> click on add Spybot S&D Host list

    Then click on the attach icon here (looks like paperclip) and navigate to the following file
    C:\windows\system32\drivers\etc\hosts.txt and attach the file here for me to check it
     
  19. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    Here it is...in installments.

    Board wouldn't accept it as it was so I copied and made a txt file but it was still too big to send so I chopped it.
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Your host file is fine.

    Go to My computer -> C:\windows\system32\drivers\etc\host.txt and right click on the file, choose properties and ensure that Read Only is checked. If it is close the window. If it is not checked, go ahead and put a check in the box and click OK

    That should take care of everything -> just to be safe lets run 1 more scan with kaspersky and ensure that it comes up clean. If so follow below:

    :Set correct settings for files:
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    :clear system restore points:

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
     
  21. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    Ya a-a-a-a-ay ! Thank you.

    So, does this mean that since Kaspersky was able to find the viri and infected files and the other programs weren't so exact, that I should buy Kaspersky?

    Does the full version delete the files and viri and not just find them?

    Also, since I did the java thing, my firefox won't support my pogo.com word games, saying I don't have the correct java. IE will run tumblebees once and then punk out, saying there is a java problem.

    Thank you so much. ST
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Different scanners have different definitions, I suggested Kaspersky because Trend Micro Housecall wasn't working, and I saw that Kaspersky had the definitions for some of your infections. Kaspersky has a great Anti-Virus program and if you think you want it - I believe they have a free trial.

    In my opinion you will get great anti-virus protection from many free programs such AVG, Avast, or Avira

    Also keep a firewall active at all times, I just realized that you removed your firewall and should install one of these ASAP These are all free good firewall programs

    You want to have a combonation of anti-spyware (adaware and spybot is what I keep, update regularly and scan with)
    ----------------------------------------------------------------------------------------------

    For the Java, did you update through the console in control panel or through the link? Also did you remove older versions except java 6 update 5
     
  23. Row1

    Row1 TS Maniac Posts: 401   +10

    you get viruses from places like pogo

    "I don't go to weird websites."

    FYI: places like pogo where you play free online games, get free wallpaper, get free screensavers, send free greeting cards that jump around and sing, get 3 free mp3s for signing up to some music service, get free backgrounds for myspace, etc., are where you get these viruses and trojans.

    some of them come in when you download the java applet to run these games, "register" to use the things on the website, use their download manager, etc.

    i am not saying that the pogo website is giving you viruses and trojans. i am suggesting that these types of websites are where people will get ya when you download something - they exploit these types of sites. Just FYI.
     
  24. shetawk

    shetawk TS Rookie Topic Starter Posts: 38

    Thank you. Now my internet is extremely slow.

    Now my internet is extremely slow. Firefox takes a long time to load and videos, especially utube are impossible.

    Took everything out of start menu, emptied cache, deleted unnecessary programs. Must have deleted something I need when I did housecleaning.

    Any suggestions from anyone on what could be slowing my internet? (It's been happening since yesterday but was okay before that.)

    Have verizon hi speed and two 75.5 gig hds; AMD Sempron Processor

    2800+ 1.60 GHz, 960 MB or RAM

    MSWXP Pro 2002 Service Pack 2

    Thank you. ST
     
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Am I supposed to be responding to this? you never responded to my last post
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.