Dio fiasco...

I posted this under the newbie section of the site...probably would get more help posting it HERE though...

I'm wondering what I should do, now that I have banged my head against the wall, and am still stymied. *sigh*...I did everything below, but still can't d/l virus protection?! Everything else seems to be working with no problem, and my scans are coming out 'clear' with every program (ccleaner, spybot s&d, avg spyscanner), but am still getting error messages when I try to d/l avg virus scanner, or even norton:

I've been looking for a "post" button, but I guess this is the only way to post...since I couldn't find any 'reply' buttons in the threads I was using...

OK...I did ALL the steps for deleting malware on this page:

http://forums.majorgeeks.com/showthread.php?t=139313

(thankyouverymuch!!)

Everything seems fine, as I'm able to get online etc, though I still haven't tried to send/receive email, because...

While I was panicking/trying everything, I 'allowed' the free version of Norton that came with this laptop (hp pavilion entertainment pc w/XP)...because the computer came up as "brand spanking new" two days ago (it's 6 mos old, I have no idea what happened, but when it happened, it erased my virus protection, too).

...I think everything is still 'in here', though, I had to reconfigure Outlook Express, and all my emails are gone. But, when I reinstalled Opera, it started up with all the previous tabs that were there before the crash...

SO, the scary message on my wallpaper saying I was infected, is now gone, thanks to your site, but when I go in and try to delete the AVG Virus scanner I first tried to install, I get an 'error' message:

Error: Checking of state of the item file avgw.exe failed.
File opening failed. %FILE% = "C:\Program Files\Grisoft\AVG7\avgw.exe"
Permission denied

when I try to unintsall Norton, so there aren't two on here, it tells me I don't have Admin rights??

Does anyone know what I need to do?

Thanks for all the incredibly helpful stuff here!!! It's been two days, and I had no success debugging, until I found this site.

Everytime I tried to d/l a virus/spy scanner, I'd get 're-directed' to DioCleaner...I got all the way to check out with the diocleaner, then before hitting 'submit' I did a search for DioCleaner, and found you wonderful peeps, and that I was getting ready to make a FATAL error.

I've been faithfully following the instructions, here at MG...and, now I'm able to use Opera and IE with no apparent problems, except for those weird error messages with Norton and AVG, I'd think I was 'cured'...

Should I do another run through of all these processes, with System Restore shut off?

One more question...Before I disabled the TeaTimer on Spybot S&D, when I restarted I got a ton of 'warnings' and when I said to delete I got another warning that I was getting ready to delete, but there was no back up made...I couldn't find a way to pause, and make a back up, or anything...If I deleted everything it 'warned' about, did I screw up?

Sorry If I'm a complete maroon. I truly appreciate your site, and hope I'm axing right for help. Heading back to the trenches now, to see if I can delete Norton and just keep AVG. *sigh*

Doni

 

Hi utxdoni!
Welcome to Major Geeks!
Have you posted in another part of the forum? The reason I ask is because this is your first post with this name.

I think your computer is still infected. Please post the logs that were created when you ran the instuctions in the READ & RUN ME FIRST

There may be a log from AVG Antispyware. There should be a log from Combofix and from MGlogs.zip (located directly under your root drive which is C:\ for most computers). If we can see your logs, we'll have a better idea of what is going on.

You can try the Norton Removal Tool (SymNRT)

Is your AVG antivirus running? Does your Windows Security Center show all three items lighted up - Firewall, Windows Updates and Antivirus? Is the icon for AVG antivirus in the lower right-hand corner of your computer screen in colors? Is it there at all?

abri

 

Think I posted in the Welcome section, but maybe I forgot to submit?

Thanks so much for the acknowledement! I'm attaching my logs, below, and look forward to your diagnosis.

I'm pretty sure I saved the AVG spyscanner log, but now I can't locate it...Is there any use in running it again and including that logfile?

I'm off the try the Norton utility you mentioned

Regarding these questions:

Is your AVG antivirus running?
No

Does your Windows Security Center show all three items lighted up - Firewall, Windows Updates and Antivirus?

Yes

Is the icon for AVG antivirus in the lower right-hand corner of your computer screen in colors? Is it there at all?

Not there...Only the virusscanner one is there, and it is not in colors.

Again, thanks SO MUCH for your help!!

Doni

 

Re: Dio fiasco...Update

THANK YOU! The Norton removal tool appears to have successfully removed the Norton virus scanner. Thought that might 'fix' the AVG error, but it is still occurring....

I did find the logfile for the AVG Spyscan! Attaching now:

 

Hi utxdoni!
A once over and more tomorrow. Do the following:

1) Disable Spybot's TeaTimer. This is a two step process.
First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {B6FAFB44-63D9-4972-D82E-3CE675865896} - C:\WINDOWS\system32\jepkkjx.dll (file missing)

After you click fix, just close hijackthis.


3) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Make sure you tell me how things are working now!


4) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Muchas Gracias for the updated help!!! I'm excited to get this bugger off my computerbaby's back!

Just wanted to mention that the security center says the active virus scanner is AVG!? Even though I got an error message trying to install, and uninstall it...

Off to try these new cures!

 

Re: Dio fiasco...(avenger logfile)

Not sure I ran avenger, correctly...Instructions said to include everything in the textbox, and I included the part that said, "files to be deleted"...Anyway, when I scanned the logfile, there are error messages....

I will wait for your expert opinion, after you look at the attached log. Hope I did it right!!

Thank you again, to you, and all the wonderful samaritans whose helpful fixes have gotten me closer and closer to fixing mah baybee.

 

Re: Dio fiasco...(avenger logfile)

oops...where's that logfile?

 

Re: Dio fiasco...Am I CLEAN?

I've run the MGTools prgrm...

Just attempted to uninstall AVG Virus scanner, as that was the only clue I had the problem was still in here...

It worked! (I selected 'no' to uninstalling it, so I'm protected again, TG!)

I'm so grateful...It appears it's really and truly fixed.

Where do I donate? LOL

This puter is literally my life...Dunno what I would have done without it. :')

Thank you from Texas!

 

Hi utxdoni!

I'm very happy your computer is working better. 'Avenger ran correctly. There are still files on your computer which need to be removed. Please do the following.


1) Go to add/remove programs and uninstall the below:

- J2SE Runtime Environment 5.0 Update 6


2) Please rename the following file C:\WINDOWS\system32\drivers\symlcbrd.sys to symlcbrd.sys.fff You can leave it in the drivers folder.

To rename the file, find it in Windows Explorer, right-click on it and select rename and enter the new name into the box which appears around the file on the right side of Windows Explorer.

3) Please scan the following file(s) at either jotti or VirusTotal and let me know the results.

C:\Documents and Settings\Doni.PC885314341208\Application Data\9225e3f20dd2cd358092bd316a5966da.dat


4) Continue as follows:

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Now run ATF Cleaner as per the instructions in post #5.


6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log and the results for the Jotti / Virus Total report.


Let me know how things are running now?

abri

 

- J2SE Runtime Environment 5.0 Update 6
DELETED...

2) Please rename the following file C:\WINDOWS\system32\drivers\symlcbrd.sys to symlcbrd.sys.fff You can leave it in the drivers folder.

To rename the file, find it in Windows Explorer, right-click on it and select rename and enter the new name into the box which appears around the file on the right side of Windows Explorer.

I'm not sure what I did?! When I went back in to check hat I renamed the file correctly...the new file name was directly under the one you told me to rename? eek!

When I tried renaming it, again, the system (of course) said that name was in use, so I renamed the one I changed the first time (I was just certain I got the right file? Could it have 'copied'?), by putting a 1 after the string, and then renamed the file (symlcbrd.sys), again...Now it looks like this:
symlcbrd.sys.fff
symlcbrd.sys.fff1

I hope this makes sense, and that I haven't totally messed up!


3) Please scan the following file(s) at either jotti or VirusTotal and let me know the results.

C:\Documents and Settings\Doni.PC885314341208\Application Data\9225e3f20dd2cd358092bd316a5966da.dat


This scan produced the following result at jotti:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

and this from virustotal:

0 bytes size received / Se ha recibido un archivo vacio


This message was AFTER I disabled the firewall, to see if it would make a diff.


Now I'm going on to run Avenger....Just want to keep things straight in my haid...It helps for me to right down my steps...Thank you for bearing with me



4) Continue as follows:

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Now run ATF Cleaner as per the instructions in post #5.


6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log and the results for the Jotti / Virus Total report.


Let me know how things are running now?

abri[/QUOTE]

 

Re: Dio fiasco...How 'm I doing?

Think I ran everything twice, to be sure I did it correctly...Hope I haven't royally messed up...I know enough to be dangerous, sometimes!

Question: Would it be okay to delete the line you asked me to scan?

C:\Documents and Settings\Doni.PC885314341208\Application Data\9225e3f20dd2cd358092bd316a5966da.dat

Attached are my logfiles...and thank you!! :drool

Looking forward to my progress report.

Doni

 

utxdoni!
Biggest apologies!! In spite of all our systems, a post does slip by unnoticed sometimes. I'm really sorry. If you can take the time, it would be good to finish, for one thing, so you don't have all our logs and stuff left on your computer. Please get back in touch.

Things to do:

Yes you can delete the below file:
C:\Documents and Settings\Doni.PC885314341208\Application Data\9225e3f20dd2cd358092bd316a5966da.dat

You can also delete the files you were renaming, since you don't need them. They were from Symantec. So delete any of the below:
C:\WINDOWS\system32\drivers\symlcbrd.sys
C:\WINDOWS\system32\drivers\symlcbrd.sys.fff
C:\WINDOWS\system32\drivers\symlcbrd.sys.fff1


Are you still having any malware issues?


Thanks.
abri