Trojan.Downloader.KavSvc and Unclassified.Spyware.61 Spyware

Status
Not open for further replies.

JohnKing

Posts: 10   +0
Hi:

The following problem is found on a continuing basis by Microsoft Antispyware:

Trojan.Downloader.KavSvc

when it tries to install itself. MS AntiSpyware says that it removes it, but it always returns. The Unclassified.Spyware.61 Spyware is usually found in the subsequent scan along with the KavSvc

I've updated and run

Ad-Aware
Spybot
Microsoft AntiSpyware

along with the other items in, and according to, the instructions in the

WebSearch-Removal.txt

file. But I haven't been able to rid my machine of this problem. I have also run Trend Micro (http://www.trendmicro.com/spyware-scan/)

I've attached the HiJackThis file.

Thank you, yet again, for whatever help you can provide.

John
 

Attachments

  • HijackThis.txt
    4.7 KB · Views: 11
Don't see any baddies, but the Chronology stuff is out of whack.

Boot in Safe Mode.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.


Next, try to UNinstall anything to do with (not delete yet!):
C:\Program Files\Chronology\TimingDesigner\FlexLM\win32\bin\lmgrd.exe

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chronology.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EE0AA4F-79EC-4BD1-A094-EDE31147A61C}: NameServer = 172.16.2.5,172.16.2.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chronology.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chronology.com
O23 - Service: TD FLEXid 8 - Unknown owner - C:\Program Files\Chronology\TimingDesigner\FlexLM\win32\bin\lmgrd.exe (file missing)
O23 - Service: TD FLEXid 9 - Unknown owner - C:\Program Files\Chronology\TimingDesigner\FlexLM\win32\bin\lmgrd.exe (file missing)
O23 - Service: Test FLEXID NodeLocking - Unknown owner - C:\Program Files\Chronology\TimingDesigner\FlexLM\win32\bin\lmgrd.exe (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, delete the Chronology directory with everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal.
===========================================================
Download Ewido Security Suite (trial) from http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Start Ewido. When you run it the first time, you get a warning "Database could not be found!". Click OK.
On the main screen, click on Update in the left menu, then click the Start Update button.
After the Update finishes, the status bar at the bottom will display "Update successful".
-- If you have problems updating see here: http://www.ewido.net/en/download/updates/
Once the updates are installed do the following:
Click on Scanner
Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
Click on Start Scan and let Ewido scan the PC.
While the scan is in progress, you will be prompted to 'Clean files', click OK
When the scan is done, you'll find a Save report button at the bottom of the screen.
Click 'Save report' and save it to your desktop.
Reboot your PC and post back the Ewido Scanlog as a .txt attachment
 
After Ewido

Hi:

The Chronology stuff does look odd, but I know exactly what it is about and the status as shown makes sense to me. I can go into detail about it if you'd like, but it isn't the problem. Regardless, I did remove the services using HJT. I need the TCP/IP settings.

I've attached the Ewido report.

Thanks for your time,

John
 

Attachments

  • Scan report_20050729.txt
    36.1 KB · Views: 7
Update

Just a note to let you know that since running Ewido earlier today, Microsoft Spyware hasn't complained about anything trying to install itself. It may be that it's now removed.

John
 
Seems that friend Ewido cleaned out quite a few hidden 'lurkers'.
Those first HKLM lines and the last C:\WINNT lines contained the real nasties, that don't show up normally.
You should be fine now.

PS: delete your cookies once a week or more often as well as your temporary internet cache in both Firefox and IE (should use IE only for Windows updates!).
 
Hi John,

I got this one too. I dont think it's residing on your start up or IE HBO. Review your Shell Execute Hooks configuation. On mine it gets executed from the Control Panel shell.

Try this.
From Microsoft Anti-Spyware. Go Advanced Tools --> System.

-Mickenth
 
Status
Not open for further replies.
Back