[Inactive] Infected With TDSS Rootkit

[Hoov]

Try it again with everything still open. I am hoping that if it is all left open, then the open ports will be left open as well. To get to a command prompt without closing everything, go to the start button then to all programs then accessories and then to command prompt.

[soupman]

Today
Closed out of all, last night, and woke it up to the "This computer is in use and has been locked..." box... again. I can't believe it. Desktop icons are incomplete, firewall status icon in tray is gone, again.
Killed it, rebooted (theme changed-I changed back), restarted (theme changed again-I changed back).
Has run great the rest of the day.

At the time of the error today I had three tabs open and was pouring over a good sized PDF file. I checked the times and six minutes AFTER the warning, I e-filed my taxes.
I went back to where I was, when todays error occured, and ran this on the off chance it might tell you something. There has been no further error today.
I'm still trying to figure out how I'm going to know when this error occurs, so I can create an accurate log. I can actually watch this same info in the Online Armor status icon in my tray (that keeps crashing-see above), if that would help us.


Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    24.116.151.6:1166      72.5.58.53:80          ESTABLISHED     1576
  TCP    24.116.151.6:2564      91.198.117.248:443     CLOSE_WAIT      2440
  TCP    24.116.151.6:3841      74.125.227.21:443      ESTABLISHED     3496
  TCP    24.116.151.6:3879      74.125.227.22:443      ESTABLISHED     3496
  TCP    24.116.151.6:3912      209.17.88.144:80       TIME_WAIT       0
  TCP    24.116.151.6:3914      209.17.88.144:80       TIME_WAIT       0
  TCP    24.116.151.6:3915      209.17.88.144:80       TIME_WAIT       0
  TCP    127.0.0.1:3684         127.0.0.1:3685         ESTABLISHED     3496
  TCP    127.0.0.1:3685         127.0.0.1:3684         ESTABLISHED     3496
  TCP    127.0.0.1:3880         127.0.0.1:12080        TIME_WAIT       0
  TCP    127.0.0.1:3884         127.0.0.1:12080        TIME_WAIT       0
  TCP    127.0.0.1:3890         127.0.0.1:12080        TIME_WAIT       0
  TCP    127.0.0.1:3900         127.0.0.1:12080        TIME_WAIT       0
  TCP    127.0.0.1:3920         127.0.0.1:12080        TIME_WAIT       0
  TCP    127.0.0.1:3922         127.0.0.1:12080        TIME_WAIT       0
  TCP    127.0.0.1:3928         127.0.0.1:12080        TIME_WAIT       0
  TCP    127.0.0.1:3930         127.0.0.1:12080        TIME_WAIT       0
  TCP    127.0.0.1:3932         127.0.0.1:12080        TIME_WAIT       0
  TCP    127.0.0.1:3933         127.0.0.1:12080        TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:2548         CLOSE_WAIT      1576
  TCP    127.0.0.1:12080        127.0.0.1:3882         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3885         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3888         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3892         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3893         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3894         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3898         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3902         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3904         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3905         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3916         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3918         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3923         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3926         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3930         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3936         TIME_WAIT       0
  TCP    127.0.0.1:12080        127.0.0.1:3947         TIME_WAIT       0
  TCP    127.0.0.1:27275        127.0.0.1:3938         TIME_WAIT       0
  TCP    127.0.0.1:27275        127.0.0.1:3941         TIME_WAIT       0
  TCP    127.0.0.1:27275        127.0.0.1:3942         TIME_WAIT       0
  TCP    127.0.0.1:27275        127.0.0.1:3943         TIME_WAIT       0
  TCP    127.0.0.1:27275        127.0.0.1:3944         TIME_WAIT       0
 

[Hoov]

Do you still have Avast installed? Which Online Armor are you using?

[soupman]

Avast Free
Version 7.0.1426

Online Armor Free
Version 5.5.0.1557

[Hoov]

I would like you to try something if you are willing. You will be able to go back after we either confirm or delete what is causing the problem.

Please uninstall Avast and install AVG free (or any other free AV scanner).

Then open Firefox with the three tabs, and whatever else you had that caused this last issue, and let it run overnight. Let me know if the problem reoccurs.

[soupman]

Avast would not uninstall from add/remove so I used the Avast uninstall tool in safe mode. It's gone.

AVG says I have to UNINSTALL a "conflicting" Online Armor. I tried just disabling it but no go. Are these two going to eventually play nice? Is there a work around for this?

[Hoov]

Sometimes when you get a program from a vendor that is part of a larger suite except for the free version, they have only change some of the configuration files so you only see part of the program. The other part of the suite is there, and it causes problems.

Try uninstalling Online Armor, install AVG and then reinstall Online Armor.

[soupman]

Well, we're definitely on to something... I'm just not exactly sure what.

Did as you suggested... Uninstalled Online Armor, installed AVG and then reinstalled Online Armor from scratch. Then went for a ride, for a day or so, while AVG settled in. So many things happened I wouldn't know where to begin.

Simply put...so far all the old problems are gone, replaced by new ones. Overall it's better.

Based on this experience... it's sure looking like after my updates of Avast and Online Armor awhile back, somebody got sideways with somebody.

Let me know if there was something in particular you were looking for out of this process. I'd like to see how this goes for a couple more days and do some more research.

[Hoov]

Well what you told me confirmed what I was starting to suspect, an induced problem.

What kind of problems are you seeing now?

[soupman]

All my old problems are still gone, thank you. Computer has been performing smoothly. All those anti-virus TCP's in the firewall status box are gone.

All the new issues seem to be related to AVG. There are also a lot of things in their Free suite that I don't want. Avg is a huge resource pig overall.

Related to their "Identity Protection" was avgidsagent.exe which was using 2 million k of virtual memory. Maybe also conflicting with Spybot Teatimer. Before I could disable it, it disabled itself. Good.

AVG link scanner, which I DID want, is no longer compatable with the latest Firefox update and has been disabled

Now their famous "Update Manager needs restart" problem has struck. Quick fixes aren't working so if I'm going to have to get into repair programs, uninstalls/reinstalls, ect...I'd just rather get rid of it.   

Boy, do I long for the days when Avast and Online Armor played nice with no issues. Hoov, now that we know, kinda what the problem was, does that allow us to get that back again?

[Hoov]

I think with the AVG problem, uninstall AVG and then run the AVG Removal Tool to clean it all up, then reinstall AVG. As for the components in AVG, you can disable most of them if you want. As for the link scanner issue and Firefox, that is purely Firefox causing the problem with their new update scheme. AVG should be fixing that soon.

As for Avast and Online Armor, go ahead and give it a shot. If they cohabited before, they should do so again. But if you do, try it before reinstalling AVG, but after running the removal tool.

Glad to hear that the computer is running well. This has been a long one.

[soupman]

Yes it has and, again, I have to thank you for your help.


AVG detected a corrupted copy of WindowsXP SP3, in my downloads folder, and moved it to the virus bin. I had more than one of copy in there from back when we made the backup disk.

Is it possible I could have used that copy to make my disk? Or would a flag have come up somewhere along the line letting me know it was corrupted?

[Hoov]

If the file is corrupted then you would not have been able to use it. When you unzip a file like that it does a self check, and if it fails then you can't use it.

Let me know how it goes with Avast and OA.

[Hoov]

soupman, do you still need help?