Avast WEBforum
Other => Viruses and worms => Topic started by: snoopytp on August 25, 2008, 10:41:02 PM
-
HI,
I am new to this community and have been reading some posts for some help.
My work machine (a Mac Book that is Bootcamped to run Windows) was hit with a few Trojans over the weekend that killed my desktop and is causing other fun errors.
Some of the viruses that hit the machine include:
Downloader.FraudLoad (3 total)
Worm/Delf.BCK (4 total)
Trojan horse Agend.AADP (3 total)
Trojan horse Downloader.Generic7.AHWY (2 total)
Win32/PEPatch.I (1 total)
Trojan horse Generic_c.VCZ (2 total)
Worm/Delf.AKZ (1 total)
These viruses mostly hit .dll and .exe files according to the reports. I did run both an AVG and an Avast and both have moved these viruses to their vault/chest respectively. Does doing this "clear out" those viruses from my machine? I ask because my desktop is still appearing "white" and when I try to reset the properties, the Desktop Appearance tab still does not appear.
In addition (and I have no idea if these things are related), I'm getting an error saying that "C:\...Local Settings\Temp\.tt6.tmp.vbs) failed and the access is denied. This is also happening for .tt7.tmp.vbs and .tt9.tmp.vbs. Do I need any of these files and if so, how can I repair/fix these.
Finally, I am getting a DW20.exe DLL initialization failed message when shutting down. This is relatively newly occurring as well.
I would appreciate any help here. I'm not very tech savvy on computers, but know enough to be dangerous.
Thanks so much in advance!
-
Having BOTH Avast and AVG installed can ruin your day
for now configure ONE to NOT start at boot time
well let's hope your download and internet connection still work
do you have any anti spyware apps loaded?
can you download, install and update and run Malware Bytes Anti Malware? (free) ignore the nag screen
click REMOVE a backup will be created
post the log
read the stickie at the start of this forum on HJT
do not clicl "OPEN" in your downloader but save to a file- NOT TEMP- NOT DESKTOP
close all browser windows and SCAN
DO NOT FIX anything just post the log
what os etc
-
Hi snoopytp,
Let me explain why wyrmrider tells you this. Two resident anti-virus solutions on one machine is asking for trouble, they start to find up each others signatures. It is a bit like two dogs to guard a house that start to fight amongst each other, bad for protecting the house. The same story goes for two software firewalls.
What is a good possibility is to combine one resident av solution, like avast, with several non-resident av programs (ClamAV for instance, or a stand-alone like DrWebCureIT, you can also install these (always update to the most recent version) ) onto a pendrive alias USB-stick or flash drive.
One resident AV engine can also be combined with programs like Comodo BoClean, TrendMicroBotted and SuperAntiSpyware. That is my formula, other anti spyware programs are to protect like SpywareBlaster, a-squared Free and MBAM, at least that is my personal cocktail. Wyrmrider would have another cocktail where S&D is part of. But two "resident" av scanners, don't do it, it is asking for trouble,
polonus
-
Even when not configured to start on boot, resident scanners load low level device drivers, which can still conflict possibly leaving you less protected.
I suggest you uninstall AVG and also run this tool, AVG Remover, download tool from here, http://www.grisoft.com/ww.download-tools (http://www.grisoft.com/ww.download-tools) there is a 32bit and 64 bit windows version, ensure you use the correct one.
-
HI,
Thanks for the advice on the double scanners. I had no idea.
I did uninstall AVG and used the tool suggested so now that is removed.
I am also trying to find a version of the software suggested by wyrmrider so that I can add those as well.
I do appreciate all the help!
-
MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
-
snoopytp
Was it AVG Antispyware that was installed (will run OK with another AV such as Avast) or AVG AV (will not.)
(AVG Antispyware is no longer available as a separate download, BTW, it's been integrated into the latest AVG "suite".)
-
good question
was it
AVG ANTIVIRUS
or
AVG ANTISPYWARE you had installed?
anyway- looking for the MBAM report
-
Morning,
It was AVG Antivirus I had (which is now uninstalled).
Attached is the log file from the MBAM. It's not pretty...
Am definitely nervous to hear what else I can do to fix my machine. But I do appreciate all the help (it is really an education in antivirus prevention that I am learning).
Thanks!
-
OK I have had a quick look at your MBAM log and if you have closed it down you will need to run the scan again, when you get the summary of the scan, click the Show Results button, see image1.
This will list all of the detections, you will notice a check box to the left of the entries.
Check/Tick all the ones which have anything to do with (Trojan.FakeAlert), or (Rogue.Multiple), or {Rogue.AntivirusXP2008) and (Trojan.Downloader), see image2.
Leave the ones marked (Hijack.Wallpaper) or (Hijack.DisplayProperties) as they are.
Now click the Remove Selected button, that will send a copy of the entries to Quarantine and remove the originals.
Run MBAM again and confirm that all those selected are now gone (post another log), you should be left with the ones marked (Hijack.Wallpaper) or (Hijack.DisplayProperties). These really aren't a problem if it was you that tweaked your windows settings to change the default value, if so check/tick all the entries and this time click the Ignore button this time, see image2.
-
HI,
I did run the MBAM again, and it found 82 items. I removed the ones suggested, and am running the application again (will report this when it finishes).
However, I did not change my settings on my desktop/display (I honestly don't know how to do this via RegEdit) so I am still concerned about fixing that (see attached image for what my desktop currently looks like). Any advice on what to do next?
-
You don't have to change it using regedit, you can customise how your desktop looks and what is displayed in the Start button menu using the GUI and that changes the registry entry.
None of the ones marked (Hijack.Wallpaper) or (Hijack.DisplayProperties) entries is critical (IMHO) they are cosmetic. I haven't asked you to fix anything relating to your desktop/display using regedit or otherwise.
Using the MBAM Ignore makes no changes to the settings it just ignores them on future scans. This is why I said to leave them alone and deal with the malicious ones first. Then run MBAM again and these should be the only ones found and in this second step we are going to select Ignore.
However, you still seem to have fake alert malware even after removing the majority of the ones previously mentioned. Unfortunately your screenshot it both too big (full screen screenshot) and at the same time too small. I can't read the pop-up window title or other information which may help. So you could do a screenshot of just the pop-up window at normal size.
Are you using a firewall, if so what ?
Or are you saying this pop-up is a part of the desktop wallpaper and doesn't change ?
-
Hi,
Here's another shot of the warning on my desktop (it has taken over as my wallpaper and I can't seem to change it). When I try to reset my wallpaper by right-clicking on the screen, going to Properties, and then going to the appropriate tab, the tab I want to update no longer appears. Argh...
Still waiting for this latest MBAM to finish to be sure that everything was properly removed.
I appreciate the patience walking me through all of this...
-
To which program does this alert belong?
Isn't it a fake (rogue) alert?
-
HI,
After running the MBAM again, here's the log file (see attached).
Should I still just "Ignore" these?
-
It looks fake to me, how would it know you have malware on your system without doing a scan, answer it doesn't. The title in the Title Bar is very generic and seems to pretend to be official, e.g. 'Windows Warning Message!.'
I suspect that the Please Activate your antivirus button is the hook to infect or take you to a site to take your money or infect.
I have taken another look at your original log and this one it the culprit for this display.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe
Do a search of your system for this file scrnsave.exe - Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.
add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
####
OK snoopytp it should report the (Hijack.Wallpaper) again and it is possible that this is the cause of the change and your inability to change it back to the defaults. So select the entries for (Hijack.Wallpaper) and use the Remove Selected button. Don't worry we should be able to recover from Quarantine if required.
I will have a look at the new log, i was typing this when you posted.
Edit, it may well be best to also select the other items for removal as well:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
-
OK, back after another look.
The (Hijack.DisplayProperties) entries look different to one on my system which I have had MBAM ignore, these ones are Policies\System and up a level in policies which means they are less likely to have been user set. So as my edit in the last posts says, add these to the Remove and click Remove Selected.
Now run MBMA again but this time a Quick scan should be enough and much quicker, report any findings.
-
When davidR says " so select the entries" he means to run the MBAM quick scan and to put a check in the box next to the hit
then click REMOVE
as DavidR says a backup will be generated
You're doing great
I do not have XP on this machine so cannot run MBAM so my instructions sometimes are to brief
thanks for understanding
-
HI!
Thanks so much for all your help! I got my desktop display back and there aren't any more errors!
Here's the latest log!
I can't thank you all enough for your help! You guys are definitely going on my blog and Twitter!
-
Ah that log is better
now that the panic' over
can you run secunia software inspector and make sure your apps are up to date
run an on line AV scan like Kaspersky
report any hits- kaspersky finds but does not fix
since we removed avg let's monitor avast -
rt click the blue ball and click about- are your definitions current? It should be today's date
rt click the blue ball and select update> programs
(did it work?)
download and run CCleaner- check things like temp files and cookeis, recycle bin to remove
defrag your hard drive
set a new restore point
how much memory do you- oops your computer have?
-
Thanks so much for all your help! I got my desktop display back and there aren't any more errors!
Here's the latest log!
I can't thank you all enough for your help! You guys are definitely going on my blog and Twitter!
You're welcome.
The log looks fine now, sneaky little blighters ;D
I asked about what firewall you used as that is an essential part of your security ?
Now you are clean the task is to keep on top of it, update MBAM weekly and do a Quick scan as a back-up to avast, if avast does happen to detect something do a Full scan with MBAM.