One Nasty Virus/Trojan - Kills all virus scanners

[Lynn210]

I am trying to upload to a share host MediaFire
but it does not seem to want to take the file..

It is stuck on initializing..

There is another file share host debuggers use but I cant
remember the name of it.

Do you know of a file share place that will take a file from
Linuz OS

[Lynn210]

Tried something else ..

[Lynn210]

Let me know if they made it ok
 

[Lynn210]

Is it possible to access the Avast vault from Puppy Linux

[edifyguy]

Ah, yes! I see said the blind man as he picked up a hammer and saw! 

Click the "Console" icon and type this in:

"rm -f /mnt/sda2/WINDOWS/syssvc.exe" without the quotes. It IS case sensitive.

Then:

"rm -r -f /mnt/sda2/Program\ Files/MyWebSearchWB"

If you get no complaints, that means that those two are goners.

Now, let's let XF-prot off its leash a bit more. Set heuristics to "Maximum", and check the boxes next to "Scan inside archives" and "scan for other various malware"

Before you do that, though, just for grins, hit the update button one more time and see if there's any newer updates from our friends at f-prot.

Allowing it to check inside archives should actually make the logfile shorter, as it won't skip them all and note that it did.

I look forward to the results of the next scan. I feel like we're actually making progress now.

[edifyguy]

Is it possible to access the Avast vault from Puppy Linux

Yes, it is, sort of. The files can be accessed from the sda2 icon or from /mnt/sda2. They live in Program Files/Alwil Software/Avast4/DATA/chest but the files are not named anything but random names. What was found and which is which is tracked in index.xml which lives there with them.

I'm curious as to what your index.xml contains......could you upload that for us while your next scan is progressing? Rename it to .txt and it should upload. It should be small.

By the way, anything will take files from Linux, if the browser in use supports the usual protocols. You're using Seamonkey, which is sorta a mongrelized FireFox.....pretty standard stuff.......I'm surprised that you're having trouble with things like uploads, as I'm using the exact same software as you are to type this. I've not had trouble with things like that from Puppy.

[Lynn210]

Ah, yes! I see said the blind man as he picked up a hammer and saw! 

Click the "Console" icon and type this in:

"rm -f /mnt/sda2/WINDOWS/syssvc.exe" without the quotes. It IS case sensitive.

Then:

"rm -r -f /mnt/sda2/Program\ Files/MyWebSearchWB"

OK .. they both came back cannot remove read only file system

When you type thes commands.. you need to indicate where there is a space.. it is very hard to tell for some reason..

[edifyguy]

Here's a script to do it, hopefully. It should give you an idea of what it did, but might not. It should wait for 10 seconds after it's done so you can read what it did, if anything didn't work. Rename it to remove the .txt and it's a script.

[Lynn210]

I tried to run a new scan but it is acting strange

I updated ok

Then when I click f1 to scan it says file name already exists overwrite
I say ok .. then it opens the old file.. the program flickers but it does not look
like it is doing anything..

So I tried using a different file name xfprot2.log
Same thing.. it opens the old file.. flickers and does not appear to be
doing anything.

Should I try deleting the old file? or what

[Lynn210]

Sorry to seem so dumb 
but how do I run the script?

Youre the pro not me this is all new to me 

[edifyguy]

Ummmm.......flickers? I confess I don't know what you mean by "flickers." If you reuse the log filename, it will ask about that, but it should start cooking.

With these options it will run much slower, but as long as the thingy by "Scanning: /" keeps moving once in awhile, it's OK. Does it appear to be scanning?

[edifyguy]

Sorry to seem so dumb 
but how do I run the script?

Youre the pro not me this is all new to me 

Just save it on down to the my-documents folder, right-click it, select "File remove1.sh.txt > Rename" and then remove the .txt from the end of it. It will then be able to be run just by clicking on it. (The icon will change to a green program window thing.)

[Lynn210]

It doesn't say scanning anywhere.. it opens the old report
window .. the window has a title that says;

xterm_simulate_hold.sh

but nothing is changing
the old file info is there and it looks exactly the same.

You have a copy of the old log so why dont I try getting
rid of the old log.

Check this info to:

Path to scan

/mnt/sda2

Report file

/mnt/sda2/xfprot.log

Report Only
Maximum
Scan Inside Archives
Scan for various other malware

[edifyguy]

Looks like you're doing everything correctly. Try closing XFPROT and starting it again from the menu. Be sure to check your settings after doing that.

Did you get the remove script to go?

[edifyguy]

One other thought: is there still a green ball by the sda2 icon? There should be. If not, just click it once and it should come back.