Help - Search - Members
Full Version: Malware won't allow me to run any anti-virus software
Kaspersky Lab Forum > English User Forum > Virus-related issues
Cristina
I seem to have a malware. I try to run Kapersky and it won't open. I downloaded AVZ and it won't let me open it.
First a window opens up that shows an image of the My Computer file showing My Documents, Hard Drive, etc. Click to view attachment
I try to close it and a second window what looks like Windows Security Alert opens. I can't chose the button to remove the viruses and I can't close that window either.Click to view attachment
When I'm finally able to close all those windows I then see a window asking if I want to run and Install.exe.Click to view attachment

I have Kapersky Anti Virus 7.0.1.325
I have Windows XP Home.

Please let me know if any other information is needed.

Thank you!!!!
richbuff
Welcome. Download AVZ from here: http://www.malwarecrawler.com/a-v-z.exe

Please attach the zipped virusinfo_syscure.zip; instructions, see: http://forum.kaspersky.com/index.php?s=&am...st&p=678334 Download it from the link that I posted above.
Cristina
Loaded zip file.

Waiting for your reply.

Thank you very much!
C
richbuff
Run this script, instructions: http://forum.kaspersky.com/index.php?s=&am...st&p=678368 PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\system32\drivers\svchost.exe','');
QuarantineFile('C:\WINDOWS\System32\SYSDLL.exe','');
QuarantineFile('C:\WINDOWS\system32\digiwet.dll','');
QuarantineFile('C:\windows\freddy46.exe','');
QuarantineFile('C:\windows\ld08.exe','');
QuarantineFile('C:\windows\mstre19.exe','');
QuarantineFile('C:\windows\pp10.exe','');
QuarantineFile('C:\WINDOWS\services.exe','');
QuarantineFile('D:\autorun.inf','');
DeleteFile('D:\autorun.inf');
DeleteFile('C:\WINDOWS\services.exe');
DeleteFile('C:\windows\pp10.exe');
DeleteFile('C:\windows\mstre19.exe');
DeleteFile('C:\windows\ld08.exe');
DeleteFile('C:\windows\freddy46.exe');
DeleteFile('C:\WINDOWS\system32\digiwet.dll');
DeleteFile('C:\WINDOWS\System32\SYSDLL.exe');
DeleteFile('C:\WINDOWS\system32\drivers\svchost.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.
[/code]
After run script, attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.
Cristina
Before I could get all of your instructions Internet Explorer stopped working. I had my internet conection running fine but I couldn't open a window.
I had to do a system restore.
I then followed your instructions. Attached is the combofix log. Have I gotten all the viruses deleted?
Now, I am having another issue. The restore point I went back to is on an older Kaspersky anti virus that needs to be renewed. I renewed in May. I have the install for k anti virus 7.0.1.325 but once I restart after install the process breaks down with an error.
I just want to get back to the K anti virus version that I renewed to so that I can run it religiuosly.
Please help me get my computer back in shape....pretty please.
C
richbuff
Run this script, PC will reboot, instructions: http://forum.kaspersky.com/index.php?s=&am...st&p=678368
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('c:\windows\system32\3104203574.dat','');
QuarantineFile('c:\windows\system32\drivers\33514909.sys','');
DeleteFile('c:\windows\system32\drivers\33514909.sys');
DeleteFile('c:\windows\system32\3104203574.dat');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Then, run this one:
CODE
begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/
Then, Private Message me the Download link to the uploaded file. Click my user name and select Send message. Lastly, uninstall Combofix by: pause Kaspersky > Start > run >
type combofix /u > ok. Or Start > run > type help /u > ok. Restart Kaspersky.

Also, if you use Windows System restore, turn it off > reboot and do a full scan with Kaspersky. Then turn system restore back on, if you wish; this to remove malware from system
volume information files. How to turn it off/on: http://support.kaspersky.com/faq/?qid=208279208

Before doing the scan, Clear the Detected list: Detected > Active threats > right click > Disinfect all > right click > Clear list > then scan again > then post screenshot of Detected >
Active threats. With columns widened to show full name and object details.

Also, scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't fix anything yet, until the log is reviewed.

How to take and post screenshot: PrtSc (Print screen) key (upper right part of keyboard)> open Paint (Start > All programs > Accessories) > Edit > Paste, File > Save as (jpeg or
png, Not bmp). When replying, Browse > click once to select file > Open > Upload > add reply.
Cristina
Hello Rich,
I have attached the Log for Malwarebytes' Anti Malware.
I also attached the Quarantine.zip.
I am having trouble running my Kaspersky because it is telling me I need to activate it. I had done that but now it keeps asking for it. I tried to activate with the activation code and then with the license key and it doesn't work. So I used the AVZ.exe to scan the whole system.
Please let me know what next steps I should take.
Thank you again,
C
richbuff
Fix what Malwarebytes detects, then uninstall Kaspersky > reboot > re install Kaspersky > reboot.
Cristina
I followed your instructions and Kaspersky is running perfectly.
There seems no sign of any malware.
What do I do with the Quarantine Zip files and Qoobox zip?

Thank you so much!! You saved my computer and my life.
I can breathe easy again.
Thank you for all your efforts.
richbuff
You're welcome. You can delete the Quarantine.zip and Qoobox.zip folders.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.