TechSpot

Trojan.Downloader.KavSvc and Unclassified.Spyware.61 Spyware

By JohnKing
Jul 29, 2005
Topic Status:
Not open for further replies.
  1. Hi:

    The following problem is found on a continuing basis by Microsoft Antispyware:

    Trojan.Downloader.KavSvc

    when it tries to install itself. MS AntiSpyware says that it removes it, but it always returns. The Unclassified.Spyware.61 Spyware is usually found in the subsequent scan along with the KavSvc

    I've updated and run

    Ad-Aware
    Spybot
    Microsoft AntiSpyware

    along with the other items in, and according to, the instructions in the

    WebSearch-Removal.txt

    file. But I haven't been able to rid my machine of this problem. I have also run Trend Micro (http://www.trendmicro.com/spyware-scan/)

    I've attached the HiJackThis file.

    Thank you, yet again, for whatever help you can provide.

    John
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Don't see any baddies, but the Chronology stuff is out of whack.

    Boot in Safe Mode.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.


    Next, try to UNinstall anything to do with (not delete yet!):
    C:\Program Files\Chronology\TimingDesigner\FlexLM\win32\bin\lmgrd.exe

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chronology.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6EE0AA4F-79EC-4BD1-A094-EDE31147A61C}: NameServer = 172.16.2.5,172.16.2.14
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chronology.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chronology.com
    O23 - Service: TD FLEXid 8 - Unknown owner - C:\Program Files\Chronology\TimingDesigner\FlexLM\win32\bin\lmgrd.exe (file missing)
    O23 - Service: TD FLEXid 9 - Unknown owner - C:\Program Files\Chronology\TimingDesigner\FlexLM\win32\bin\lmgrd.exe (file missing)
    O23 - Service: Test FLEXID NodeLocking - Unknown owner - C:\Program Files\Chronology\TimingDesigner\FlexLM\win32\bin\lmgrd.exe (file missing)
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, delete the Chronology directory with everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal.
    ===========================================================
    Download Ewido Security Suite (trial) from http://www.ewido.net/en/download/
    When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    Start Ewido. When you run it the first time, you get a warning "Database could not be found!". Click OK.
    On the main screen, click on Update in the left menu, then click the Start Update button.
    After the Update finishes, the status bar at the bottom will display "Update successful".
    -- If you have problems updating see here: http://www.ewido.net/en/download/updates/
    Once the updates are installed do the following:
    Click on Scanner
    Make sure the following boxes are checked before scanning:
    - Binder
    - Crypter
    - Archives
    Click on Start Scan and let Ewido scan the PC.
    While the scan is in progress, you will be prompted to 'Clean files', click OK
    When the scan is done, you'll find a Save report button at the bottom of the screen.
    Click 'Save report' and save it to your desktop.
    Reboot your PC and post back the Ewido Scanlog as a .txt attachment
     
  3. JohnKing

    JohnKing TS Rookie Topic Starter

    After Ewido

    Hi:

    The Chronology stuff does look odd, but I know exactly what it is about and the status as shown makes sense to me. I can go into detail about it if you'd like, but it isn't the problem. Regardless, I did remove the services using HJT. I need the TCP/IP settings.

    I've attached the Ewido report.

    Thanks for your time,

    John
     

    Attached Files:

  4. JohnKing

    JohnKing TS Rookie Topic Starter

    Update

    Just a note to let you know that since running Ewido earlier today, Microsoft Spyware hasn't complained about anything trying to install itself. It may be that it's now removed.

    John
     
  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Seems that friend Ewido cleaned out quite a few hidden 'lurkers'.
    Those first HKLM lines and the last C:\WINNT lines contained the real nasties, that don't show up normally.
    You should be fine now.

    PS: delete your cookies once a week or more often as well as your temporary internet cache in both Firefox and IE (should use IE only for Windows updates!).
     
  6. JohnKing

    JohnKing TS Rookie Topic Starter

    Things seem pretty solid.

    Thanks again.

    John
     
  7. Hi John,

    I got this one too. I dont think it's residing on your start up or IE HBO. Review your Shell Execute Hooks configuation. On mine it gets executed from the Control Panel shell.

    Try this.
    From Microsoft Anti-Spyware. Go Advanced Tools --> System.

    -Mickenth
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.