Solved

AVG and AdAware files installation deleted

Posted on 2004-10-14
7
510 Views
Last Modified: 2010-07-27
I am a computer tech in New Zealand, reasonably used to removing viruses, but I have struck a particular one which has me baffled.
On XP Home I removed Instant Access and the following viruses (Housecall names): troj_wintrim.a; troj_wintrim.aw; troj_nex.b; worm_dandi.a; joke_train.a; worm_sdbot.rs; troj_dialer.sa
However when I tried to install AVG, AdAware and Spybot only Spybot would install and run. AVG and AdAware would not even execute from the installation files (and I have done so from the same files before and since - I carry them around on my CD and flash drive). Even more bizarre is that when I reboot and go back to the files to try again, they have been deleted - even from a flash drive!
I have done a repair of the XP files (restore over the top of itself) and put in SP2, to no avail.
The customer is 30 miles away and doesn't want me to take the computer away, so it would assist me greatly if someone could simply identify the virus,rather than suggest small tweaks.. any ideas?
0
Comment
Question by:JohnDecker
  • 3
  • 2
  • 2
7 Comments
 
LVL 17

Accepted Solution

by:
Lobo042399 earned 500 total points
ID: 12313397
Hi John,

That sounds nasty. Have you tried a scan with Process Explorer to identify any nasties running in the background? I would also try running an online scan from either Symantec or TrendMicro.

Symantec:
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

Trend Micro:
http://housecall.antivirus.com/housecall/start_corp.asp

Another thing I would give run is TrojanRemover... if it installs.

What else.... How about trying the installation of AVG in Safe Mode? Tried that?

Those are a few ideas. I don't think anyone can positively identify the particular infection you're dealing with without more details. Some may suggest HijackThis! I would not go that far just yet. Let's see what Process Explorer comes up with first.

To download Process Explorer, Trojan Remover, and some other tools, you can go to:

http://www.gatesofdelirium.com/ee/tools/

Good Vibes!

Lobo
0
 
LVL 11

Expert Comment

by:ghana
ID: 12320180
Taken form http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.R about SBOT variant:
"This malware propagates via shared network drives. It has backdoor capabilities of connecting to an Internet Relay Chat (IRC) server and listening for remote commands from a malicious user. Then, it executes the commands, virtually handing out access and control of the affected system to the malicious user."

I would not do any repair on that computer. Nobody knows what the "malicious user" has already done on that system. Because of that we are not able to undo these steps. I would recommend to erase the hard disk and beginning with a fresh install.
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12320838
There are several backdoor trojans that do that, and the majority of them exploit the access granted to use the compromised machines in Denial of Service attacks. Unless John knows or suspects that there is someone in particular who would be interested in hacking his machine for personal reasons I would not worry about that. Wiping the HD is always the last resource. Well, second to last... the last resource is trashing the box and getting a new one.

Good Vibes!

Lobo
0
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

 
LVL 11

Expert Comment

by:ghana
ID: 12320988
I suspect that the machine is already hacked. Otherwise removing the detected trojans must result in a clean system. But installation failures of AVG and Ad-Aware indicate that the machin is not clean. That's the reason why I would worry about that. If this were my computer I would wipe the HD...
0
 
LVL 4

Author Comment

by:JohnDecker
ID: 12324813
Thanks - I thought I had posted a comment earlier after Lobo's first post, but obviously forgot to submit...

I have downloaded all the tools I think will be useful and will advise. My take on it is that Housecall simply missed whatever it is that is doing it, so the system still isn't clean, not necessarily hacked. Despite all the hype I have never actually come across a machine where someone else has obviously taken control, and as long as it is not connected I should be able to beat it. I could wipe the hard drive, and I may end up doing so - it may even work out cheaper for the customer - but you all know the hassle that involves, so it will be a last resort. Well, third last: second last is buying a new one, and my last resort is my favourite; I go out to a friend's farm and shoot old computers that really annoy me.  :o)
I'll let you know on Monday how it went.
0
 
LVL 4

Author Comment

by:JohnDecker
ID: 12337158
OK, all done. Only a B because I had to do the work, but it was the tools that really solved it, and the link which enabled me to get to them.
I used DLL Compare and Kill Box. Compare found 6 dll that were questionable - checked their properties etc and deleted them. One would not go - even in Safe Mode - xsdsx2muuby.dll, which I presume is a random name. It comes from Melkosoft, a Russian outfit. Kill Box did the trick where nothing else would and AVG, AdAware etc all started to run beautifully.
Found endless backdoor trojans, porn downloaders and dialers and left the mother asking which of her kids had been looking up pretty hard core porn on the net..
Thanks guys
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12338137
Hi John,

Thanks for the points. Yeah, I love those looks mom give their kids when they find out they haven't really been downloading pictures of Spongebob. Glad you got the case solved.

Good Vibes!

Lobo
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

12 Steps to a more secure Internet experience (http://tekblog.teksquisite.com/) Everyone who is a licensed driver initially had to pass a driving test that consisted of taking:    1. a written test    2. a road test    3. a vision test Le…
PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now