Ad Aware Fluke

Starting about a month ago every time I run ad-aware, i get the alert message below. However the file it refers to, infact the entire folder it's contained in, diappears almost instantly. I've opened the local Before running and scanned the folder after it appears, and AVG detects no virus. I'm confused, does anyone know anything about this paticular issue?

 

Hey Wenchie, hope you're up for some reading, I found a variety of info on this particular nasty. I'm assuming you're on XP. This is from Grisoft's AVG site:

As AbbySue pointed out, the 1st step is to patch the vulnerability. Info from MS on the vulnerability and patch:

http://www.microsoft.com/security/security_bulletins/ms03-011.asp

http://support.microsoft.com/default.aspx?scid=kb;en-us;816093


Symantec has some better info on this trojan:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html

Interesting points, esp #2:

An example thread from someone else who was infected:

http://www.dslreports.com/forum/remark,9190282~root=security,1~mode=flat


So, the consensus of opinion to permanently deal with this PITA would seem to be:

1. Patch the vulnerability

2. Delete all your Temporary Internet Files

3. Run "ipconfig /flushdns" from a command prompt

4.
-Turn off System Restore (you will lose all restore points, but it's necessary to prevent re-infection)
-Reboot to Safe Mode and run a virus scan with the latest virus definitions, delete anything it finds
-Turn System Resore back on, reboot

5. Just to be safe, run an online scanner such as http://housecall.trendmicro.com to verify you're clean

Also, if your homepage and/or search page in IE has been hijacked (there also may be some "offensive" entries in your Favorites that you didn't put there), download and run HijackThis, post the logfile here and someone can take a look at it.

Hope that's not too much information

 

I already Have Hijack this, But i'm confused as to ". Run "ipconfig /flushdns" from a command prompt " How do I DO that...?

Logfile of HijackThis v1.97.7
Scan saved at 5:50:33 PM, on 2/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WUTemp\com_microsoft.810217_XP_SP2_5904\WindowsXP-KB810217-x86-ENU.exe
c:\c7489678cba797aca8c3b41d62b921bb\update\update.exe
C:\Documents and Settings\Nada\My Documents\junk\Drivers\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [KB826939] rundll32.exe apphelp.dll,ShimFlushCache
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe C:\WINDOWS\System32\iernonce.dll,RunOnceExProcess
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38019.6117476852

 

Start -> run -> type "cmd", then type ipconfig /flushdns hit enter in the dos window.
jobbed.

 

ok, so I did that part, goldy m'love. How do I do the rest of what alanc was talking about?

 

To patch it up, you must go here :
http://www.microsoft.com/downloads/...AC-69EF-4287-9A07-6C740F162644&displaylang=en
and downloady and patchy, delete temp files, in IE tools, internet options, delete temporary files. (and maybe c:/documents and settings/username/local settings/temp?")

Turn off and back on system restore, right click my computer, system restore, check the "turn off" checkbox, hit ok. After booting to safe mode and re-scanning, then go back and turn it on again. Should flush all restore points, therefore no more virus hiding in system restore.

And like he says check AVG is up to date might wanna try that website he suggested to

 

Oops, sorry if my post was a little too vague. My bad. I didn't want to inundate you with any more how-to techie stuff than I thought necessary.

Feel free to ask about anything you're unsure of.

 

ok, after several tries, heres one: how in the hell do I boot to safe mode form XP?

 

ok, that worked, but this is the message I got trying to run the scan in Safe mode...

Interresting side not, i also founf that safe mode bypasses my password by offering to allow me to log in as "Administrator" still allowing access to all my files. How precious. Whats the point of the damn password?

 

Hmmmm, looks like you may not be able to run an AVG scan in safe mode. Someone correct me if I'm wrong...

[edit] Good link, x-man

[edit v. 2.0] Wenchie, the Administrator account has full access to everything in XP, that's normal.

 

OK, in light of that error message, I would suggest forgetting Safe mode.

So:

-Disable System Restore
-Reboot normally, run the scan
-Enable System Restore

 

well, thats what I ended up doing and i didnt get the 'oops you broke it' warning when I ran ad-aware like normal. (i have a wav set up to say that when I get an alert) so me thinks its all fixxied. Thanks guys If i eff it up again anytime soon, I'll let ya know

 

Good job, Wenchie