Problem Virus?

[jdd3]

Hi Everyone,

I Have Avast and AVG installed on my computer. I have a virus or worm that has stopped my virus checkers from working by removing or disabling (they do not show) the .exe files in both Avast and AVG. Also none of my browsers work properly even though I am online. I get my email but html images are disabled.  Does anyone have any knowledge of a virus that has these symptoms? If so let me know the name(s).

Currently I am in the process of running the Avast virus cleaner tool which shows no viruses so far.

Thanx,

JDD3

[DavidR]

Firstly it isn't advisable to have two resident scanners on your system, as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable. So I would suggest you uninstall the remnants of AVG so we can try and tackle the problem.

This could be a Bagle Rootkit variant:
See http://forum.avast.com/index.php?topic=26554.0
http://forum.avast.com/index.php?topic=25941.0
This seemed to have the best results with this type of attack and is reasonably user friendly.
http://research.pandasoftware.com/blogs/research/archive/2006/12/14/Rootkit-cleaner.aspx
Also F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight - Direct line, ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

Edit: This topic is current and may be worth following, if the above doesn't resolve it.

[mauserme]

Let's take a closer look at what's going on.

Download Deckard's System Scanner (DSS) to your Desktop.

• Close all applications and windows.
  
• Double-click on DSS.exe to run it, and follow the prompts.
  
• The scan may take a minute. When the scan is complete, a text file will open - Main.txt
  

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the  Deckard's System Scanner  to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the  main.txt from the C:\Deckard\System Scanner folder into your next reply.



Follow this with a WinPFind3u log:

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  (no addiitonal options)
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Use the Add Reply button and Copy/Paste the information back here.  If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts

[jdd3]

Hi Again,

DavidR,

Tried both rootkit cleaner and blacklight with no good results.

mauserme,

I ran Deckard's System Scanner and WinPFind3u.exe  and got results but since posts here have a limit of 10,000 characters will have to find the best way to post. (I would have to break up the text files into over 12 separate postings - I have a lot on my computer.) What do you suggest? email attachment? or?

[DavidR]

Break the log down into pieces using copy and paste, creating multiple posts to fit it in.

[oldman]

Or, use the file attachment on the reply page. It's under additional options.

[mauserme]

Either multiple posts or attaching the logs will be fine, jdd3.  Use whichever method is easiest for you.

[jdd3]

Hi DavidR & Mauserme,

Here are the two files: (attached)

JDD3

[mauserme]

Please download OTMoveIt by OldTimer and save it to your desktop.

Next, double-click OTMoveIt.exe to run it.  Copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):


c:\windows\system32\drivers\srosa.sys
c:\windows\exefld\


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply with a fresh DSS log.

Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move
process. If you are asked to reboot the machine choose Yes.


After posting both logs see if you are able to reinstall avast! and also test whether or not you can boot to safe mode.  Then let me know how that works out.

Also, as David pointed out, running avast! and AVG AntiVirus is not advisable, but avast! and AVG AntiSpyware is a very good combination.

[jdd3]

Hi again MauserMe,

I have attached the OTMoveIt Log below.

I tried Safe Mode but it kept returning to the F8 screen.

I reinstalled Avast and took a look at the files and the avast exe file did not show. However somehow I managed to exit and get the Avast boot scan to run, so currently it is running. I don't know if the antivirus part is fixed or not, but hope the scan finds my other problem and repairs (browsers won't work). I'll check tomorrow after the scan finishes.

OTMoveIt Log:

c:\windows\system32\drivers\srosa.sys moved successfully.
File/Folder c:\windows\exefld\c:\windows\system32\drivers\srosa.sys not found.
c:\windows\exefld moved successfully.
 
Created on 11/16/2007 23:17:49

Thanx for all your help so far.

JDD3

[mauserme]

To fix the safeboot:
 
Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe
It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply and let me know if you can access Safe Mode now?

(Ta to Essexboy from whom I stole this    )


In regard to the images I would like you to check a setting in Internet Explorer but your registry currently contains an entry that may keep you from doing this.  This registry item was probably set by you in SpyBot or a similar program to prevent changes to your home page, etc.  If you remember which program you used and can access it please change the setting back.  Otherwise let me know.

Here's the IE setting:  click Tools>Internet Options>Advanced.  Scroll down to Multimedia and make sure there is a check mark next to Show Pictures.


Let me know how the boot scan works out, and don't forget the new DSS log.  The srosa.sys file we deleted is a rootkit that may have been hiding other elements.  Now that it's gone we may see more with DSS.

File/Folder c:\windows\exefld\c:\windows\system32\drivers\srosa.sys not found.

Carefull how you copy things.  That line  is sort of a combination of the two I posted.  This didn't do any harm, but if you coincidentally make an entry that matches a valid path we might end up deleting something you want to keep