User double-clicked Classified.exe and prevents kaspersky from running. Please help.
I tried looking at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell "Explorer.exe C:\Document and Settings\All Users\application data\Microsoft\KBDriver\kbdsys.exe. can't delete kbdsys.exe I guess this file is also the one preventing me from running Task Manager or even processxp.
Full Version: How to remove kbdsys.exe
Read this article.
Please attach the zipped virusinfo_syscure.zip; instructions, see: http://forum.kaspersky.com/index.php?s=&am...st&p=678334
QUOTE(Helmut @ 21.07.2009 09:20) 
Read this article.
Thanks for the reply, but I've already try this in safe mode but unable to run Task Manager to end the process.
Richbuff, here's the AVZ log.
Run this script, instructions: http://forum.kaspersky.com/index.php?s=&am...st&p=678368 PC will reboot:
After run script, attach a Combofix log, please review and follow these instructions carefully.
Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.
Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\system32\nthlpsvc1.exe','');
QuarantineFile('C:\WINDOWS\system32\nthlpsvc2.exe','');
QuarantineFile('C:\WINDOWS\lsass.exe','');
QuarantineFile('C:\WINDOWS\system.exe','');
QuarantineFile('C:\autorun.inf','');
QuarantineFile('C:\Read1st!.exe','');
QuarantineFile('D:\autorun.inf','');
QuarantineFile('D:\Read1st!.exe','');
DeleteFile('D:\Read1st!.exe');
DeleteFile('D:\autorun.inf');
DeleteFile('C:\Read1st!.exe');
DeleteFile('C:\autorun.inf');
DeleteFile('C:\WINDOWS\system.exe');
DeleteFile('C:\WINDOWS\lsass.exe');
DeleteFile('C:\WINDOWS\system32\nthlpsvc2.exe');
DeleteFile('C:\WINDOWS\system32\nthlpsvc1.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\system32\nthlpsvc1.exe','');
QuarantineFile('C:\WINDOWS\system32\nthlpsvc2.exe','');
QuarantineFile('C:\WINDOWS\lsass.exe','');
QuarantineFile('C:\WINDOWS\system.exe','');
QuarantineFile('C:\autorun.inf','');
QuarantineFile('C:\Read1st!.exe','');
QuarantineFile('D:\autorun.inf','');
QuarantineFile('D:\Read1st!.exe','');
DeleteFile('D:\Read1st!.exe');
DeleteFile('D:\autorun.inf');
DeleteFile('C:\Read1st!.exe');
DeleteFile('C:\autorun.inf');
DeleteFile('C:\WINDOWS\system.exe');
DeleteFile('C:\WINDOWS\lsass.exe');
DeleteFile('C:\WINDOWS\system32\nthlpsvc2.exe');
DeleteFile('C:\WINDOWS\system32\nthlpsvc1.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
After run script, attach a Combofix log, please review and follow these instructions carefully.
Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.
Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.
Too bad, I cant run can't run combofix in Windows normal or even safe mode... Kaspersky is preventing it.. Unfortunately kaspersky was not visible on my taskbar, I can't even uninstall kaspersky my uninstall password won't work.. We have 500 workstation here.. Where can I send sample virus?
Send sample to the Lab, instructions are located in the third important topic located near the top of the Virus section of this forum. : http://forum.kaspersky.com/index.php?showtopic=13881
QUOTE(richbuff @ 22.07.2009 02:07)
Send sample to the Lab, instructions are located in the third important topic located near the top of the Virus section of this forum. : http://forum.kaspersky.com/index.php?showtopic=13881
Client Workstation Status is getting worst..
Extra info for infected PC's: Folder names were created with .exe.. Original folders sets to hidden attribute.
QUOTE
Folder names were created with .exe..
Send them to the lab. Then scan and disinfect after new disinfection updates are pushed out.
QUOTE(richbuff @ 22.07.2009 11:46)
Send them to the lab. Then scan and disinfect after new disinfection updates are pushed out.
Updates given by lab: Worm.Win32.VB.arz are now deleted, Severe infections leads to reformat and re-install Kaspersky.
By the way with regards to the folders that was changed to hidden attribute (unable to reset in dos nor in windows). I used iReset tool to reset folder attributes to normal mode. Hope it can help to others!
Thanks a lot richbuff!!!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.