Solved

AVG and AdAware files installation deleted

Posted on 2004-10-14
7
506 Views
Last Modified: 2010-07-27
I am a computer tech in New Zealand, reasonably used to removing viruses, but I have struck a particular one which has me baffled.
On XP Home I removed Instant Access and the following viruses (Housecall names): troj_wintrim.a; troj_wintrim.aw; troj_nex.b; worm_dandi.a; joke_train.a; worm_sdbot.rs; troj_dialer.sa
However when I tried to install AVG, AdAware and Spybot only Spybot would install and run. AVG and AdAware would not even execute from the installation files (and I have done so from the same files before and since - I carry them around on my CD and flash drive). Even more bizarre is that when I reboot and go back to the files to try again, they have been deleted - even from a flash drive!
I have done a repair of the XP files (restore over the top of itself) and put in SP2, to no avail.
The customer is 30 miles away and doesn't want me to take the computer away, so it would assist me greatly if someone could simply identify the virus,rather than suggest small tweaks.. any ideas?
0
Comment
Question by:JohnDecker
  • 3
  • 2
  • 2
7 Comments
 
LVL 17

Accepted Solution

by:
Lobo042399 earned 500 total points
ID: 12313397
Hi John,

That sounds nasty. Have you tried a scan with Process Explorer to identify any nasties running in the background? I would also try running an online scan from either Symantec or TrendMicro.

Symantec:
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

Trend Micro:
http://housecall.antivirus.com/housecall/start_corp.asp

Another thing I would give run is TrojanRemover... if it installs.

What else.... How about trying the installation of AVG in Safe Mode? Tried that?

Those are a few ideas. I don't think anyone can positively identify the particular infection you're dealing with without more details. Some may suggest HijackThis! I would not go that far just yet. Let's see what Process Explorer comes up with first.

To download Process Explorer, Trojan Remover, and some other tools, you can go to:

http://www.gatesofdelirium.com/ee/tools/

Good Vibes!

Lobo
0
 
LVL 11

Expert Comment

by:ghana
ID: 12320180
Taken form http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.R about SBOT variant:
"This malware propagates via shared network drives. It has backdoor capabilities of connecting to an Internet Relay Chat (IRC) server and listening for remote commands from a malicious user. Then, it executes the commands, virtually handing out access and control of the affected system to the malicious user."

I would not do any repair on that computer. Nobody knows what the "malicious user" has already done on that system. Because of that we are not able to undo these steps. I would recommend to erase the hard disk and beginning with a fresh install.
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12320838
There are several backdoor trojans that do that, and the majority of them exploit the access granted to use the compromised machines in Denial of Service attacks. Unless John knows or suspects that there is someone in particular who would be interested in hacking his machine for personal reasons I would not worry about that. Wiping the HD is always the last resource. Well, second to last... the last resource is trashing the box and getting a new one.

Good Vibes!

Lobo
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 11

Expert Comment

by:ghana
ID: 12320988
I suspect that the machine is already hacked. Otherwise removing the detected trojans must result in a clean system. But installation failures of AVG and Ad-Aware indicate that the machin is not clean. That's the reason why I would worry about that. If this were my computer I would wipe the HD...
0
 
LVL 4

Author Comment

by:JohnDecker
ID: 12324813
Thanks - I thought I had posted a comment earlier after Lobo's first post, but obviously forgot to submit...

I have downloaded all the tools I think will be useful and will advise. My take on it is that Housecall simply missed whatever it is that is doing it, so the system still isn't clean, not necessarily hacked. Despite all the hype I have never actually come across a machine where someone else has obviously taken control, and as long as it is not connected I should be able to beat it. I could wipe the hard drive, and I may end up doing so - it may even work out cheaper for the customer - but you all know the hassle that involves, so it will be a last resort. Well, third last: second last is buying a new one, and my last resort is my favourite; I go out to a friend's farm and shoot old computers that really annoy me.  :o)
I'll let you know on Monday how it went.
0
 
LVL 4

Author Comment

by:JohnDecker
ID: 12337158
OK, all done. Only a B because I had to do the work, but it was the tools that really solved it, and the link which enabled me to get to them.
I used DLL Compare and Kill Box. Compare found 6 dll that were questionable - checked their properties etc and deleted them. One would not go - even in Safe Mode - xsdsx2muuby.dll, which I presume is a random name. It comes from Melkosoft, a Russian outfit. Kill Box did the trick where nothing else would and AVG, AdAware etc all started to run beautifully.
Found endless backdoor trojans, porn downloaders and dialers and left the mother asking which of her kids had been looking up pretty hard core porn on the net..
Thanks guys
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12338137
Hi John,

Thanks for the points. Yeah, I love those looks mom give their kids when they find out they haven't really been downloading pictures of Spongebob. Glad you got the case solved.

Good Vibes!

Lobo
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now